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Abstract. In the standard testing theory of DeNicola-Hennessy one process is considered 
to be a refinement of another if every test guaranteed by the former is also guaranteed by 
the latter. In the domain of web services this has been recast, with processes viewed as 
servers and tests as clients. In this way the standard refinement preorder between servers 
is determined by their ability to satisfy clients. 

But in this setting there is also a natural refinement preorder between clients, determined 
by their ability to be satisfied by servers. In more general settings where there is no 
distinction between clients and servers, but all processes are peers, there is a further 
refinement preorder based on the mutual satisfaction of peers. 

We give a uniform account of these three preorders. In particular we give two character¬ 
isations. The first is behavioural, in terms of traces and ready sets. The second, for finite 
processes, is equational. 


1. Introduction 

The DeNicola-Hennessy theory of testing |NH84l IDH871 IHen88j considers a process p to be 
a refinement of process q if every test passed by p is also passed by q. Recently, in papers 
such as [LP071 iBdlnl Kxipnm iPidTn] . this refinement preorder has been recast with a view 
to providing theoretical foundations for web services. Here processes are viewed as servers 
and tests viewed as elients. In this terminology the standard (must) testing preorder is a 
refinement preorder between servers, which we denote by p g; this is determined by 
the ability of the servers p, q to satisfy clients. However in this framework there are many 
other natural behavioural preorders between processes. In this paper we investigate two; 
the first, p q, is determined by the ability of the clients p, q to be satisfied by servers. 
For the second we drop the distinction between clients and servers. Instead all processes 
are viewed as peers of each other and the purpose of interaction between two peers is the 
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mutual satisfaction of both. The resulting refinement preorder is denoted by p Ep 2 p Q- We 
give a uniform behavioural characterisation of all three refinement preorders in terms of 
traces and acceptances sets |NH84t IHen 88 ] . We also give equational characterisations for a 
finite process calculus for servers/clients/peers. 

We use an infinitary version of CCS |Mil89| augmented by a success constant 1, to 
describe processes, be they servers, clients or peers. Thus p = T.a.{b.O + c.O) + r.a.c.O is a 
server which offers the action a followed by either b and c depending on how choices are 
made, and then terminates, denoted by 0. On the other hand r = a.c.1 is a test or a client 
which seeks a synchronisation on a followed by one on c; as usual |Mil89] communication or 
cooperation consists of the simultaneous occurrence of an action a and its complement a. 
Thus when the server p is executed in parallel with the client r, the latter will always be 
satisfied, in that it is guaranteed to reach the successful state 1 regardless of how the various 
choices are made. But if the client is executed with the alternative server q = r.a.b.O + r.a.c.O 
there is a possibility of the client remaining unhappy; for this reason p q. However it 
turns out that q p because every client satisfied by q will also be satisfied by p. 

The client preorder p q compares the processes as clients, and their ability to be 
satisfied by servers. This refinement preorder turns out to be incomparable with the server 
preorder. For example a.1 + 6.0 a.1 because of the client 6.1. But a.1 + 6.0 a.^ 

because every server satisfying the former also satisfies a. 1 ; intuitively the extra component 
of the client 6.0 puts no further demands on servers, because the execution of 6 will never 
lead to satisfaction. Conversely a.1 £ 5 ^,, a.O because 1 plays no role for processes acting as 
servers, while a.1 a.O; a.1 as a client is satisfied by the server a.O while a.O can never 
be satisfied as a client by any server. Behaviour relative to the client preorder jg very 
sensitive to the presence of 1 and 0 ; for example 0 is a least element, that is 0 r for any 
process r However in general the precise role these constants play is difficult to discern; 
for example, rather surprisingly we have a.(6.0 + c.1) + a.(6.1 + c.O) Q. 

If we ignore the distinction between servers and clients then every process plays an 
independent role as a peer to all other processes in its environment. This point of view leads 
to another behavioural preorder. Intuitively, we say that the process p satisfies its peer q if 
whenever they are executed in parallel both are guaranteed to be satisfied; in some sense 
both peers test their partner. Then pi £p 2 p P 2 means that every peer satisfied by pi is also 
satisfied by p 2 . 

The peer preorder is different from the server and client preorders. In fact we will show 
that p\ £p 2 p P 2 implies pi p 2 ] but the converse is not true in general. For example 
1 + 6.0 1 but 1 + 6.0 ^p 2 p 1 because of the peer 6.1. In our formulation 1 + 6.0 and 6.1 

mutually satisfy each other, whereas the peers 1 and 6.1 do not. 

The aim of the paper is to show that the theory of the standard (must) testing preorder 
|NH84t IHen 88 | . here formulated as the server refinement preorder £ 5 ^^’ ^le extended to 
both the client and the peer refinement preorders. 

It is well-known that the behaviour of processes relative to can be characterised in 
terms of the traces they can perform followed by ready or acceptance sets; intuitively each 
ready set A after a trace s captures a possibility for the process to deadlock when interacting 
with a client. For example the process q = r.a.b.O -|- r.a.c.O has the ready set { 6 } after the 
(weak) sequence of actions a; this represents the possibility of q deadlocking if servicing a 

^Note in passing that this is not the case for the server preorder; 0 as a server guarantees the client 
6.0 + r. 1 but the server 6.0 does not. 
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client which requests an action a but then is not subsequently interested in the action b. 
The process p = a.(6.0 + c.O) + a.c.O, also discussed above, has no comparable ready set 
and for this reason p q. 

The first main result of the paper is a similar behavioural characterisation of both 
the client and the peer refinement preorders, in terms of certain kinds of traces and ready 
sets. However the details are intricate. It turns out that unsuccessful traces, those which 
can be performed without reaching a successful state, play an essential role. We also need 
to parametrise these concepts, relative to usable actions and usable processes; the exact 
meaning of usable will depend on the particular refinement preorder being considered. 

It is also well-known that the standard testing preorders over finite processes can be 
characterised by a collection of (in-)equations over the process operators, |NH841 lHen 88 ) . 
The second main result of the paper is a similar characterisation of the new refinement 
preorders. In fact there is a complication here, as these preorders are not in general preserved 
by the external operator -|-. A similar complication occurred in Section 7.2 of [Mil89j in 
the axiomatisation of weak bisimulation equivalence, and in the axiomatisations of the must 
testing preorder in |NH84) , and we adopt the same solution. We give sound and complete 
(in-)equational theories for the largest pre-congruences £p 2 p contained in the refinement 
preorders £p 2 p respectively, over a finite version of CCS. The presence of the success 
constant 1 in this language complicates the axiomatisations considerably, as the behaviour 
of clients and peers is very dependent on their ability to immediately report success. For 
this reason we reformulate the axiomatisation of must testing preorder from |NH84j . which 
in this paper coincides with the server preorder as a two-sorted equational theory. 
The characterisation of the client and server preorders, Ecit>~Lr respectively, requires extra 
equations to capture the behaviour of the special processes 1 and 0. For example one of 
the inequations required by the client preorder is a: < 1 , while those for the peer preorder 
include ^.(1 -|- x) < 1 -|- p.x. 

The remainder of the paper is organised as follows. Section is devoted to definitions 
and notation. We introduce a language for describing processes, an infinitary version of 
the CCS used in |Mil89j . and give the standard intensional interpretation of it as a labelled 
transition system, LTS. For the remainder of the paper, processes will then be considered 
to be states in the resulting LTS. We also formally define the three different refinement 
preorders discussed informally in the Introduction, by generalising the standard notion from 
|NH84) of applying tests to processes. 

We begin Section by recalling the well-known characterisation of the must preorder 
(Theorem 3.1) for finite branching LTSs from |NH84j in terms of traces and ready sets. 
To adapt this for the client preorder we need some extra technical notation. This is 
motivated by a series of examples, until we finally obtain a statement of the characterisation 
theorem (Theorem |3.13 ). The proof of this result is delegated to a separate subsequent 
section. Section Meanwhile Section continues by showing how the notation used in 
this characterisation of the client preorder can be modified in a uniform manner to give 
an analogous characterisation of the server preorder, (Theorem 3.15), which applies even 
in LTSs which are not finite-branching. Finally by combining these we get an analogous 
characterisation (Theorem 3.20) for the peer preorder. 

Section which contains the details of the behavioural characterisation theorem for 
clients, is divided into three sub-sections. The first is devoted to some technical results 
concerning the relations used in the characterisation. The soundness of the characterisation 
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while the converse completeness is covered 


is the topic of the next sub-section, Section |4.2 
in the hnal sub-section. 

Section is similar in structure, but deals with the behavioural characterisation of the 
peer preorder. 

In Section we restrict our attention to a finite sub-language CCS^ and address the 
question of equational characterisations. We hrst show why the client and peer rehnement 
preorders are not preserved by the external choice operator -|-, and give a simple behavioural 
characterisation of the associated pre-congruences £ 5 ^^’ ~cit ~p 2 p> simply involves 
taking into account the initial behaviour of processes. We then explain the equations which 
need to be added to the standard set in order to obtain an equational characterisation of 


the client and peer pre-congruences; These are stated in Theorem 6.7 and Theorem 6.9 


respectively. The proof of the soundness of the equations is straightforward and is left to the 
reader. But the completeness is considerably more complex and the details are self-contained 
in a separate section. Section This again is divided into three sub-sections. The first is 
devoted to the exposition of normal-forms which are crucial to the completeness proofs. 
This is followed by two sub-sections, dealing with the client preorder first, followed by the 
peer preorder. 

The paper ends with Sectionwhere we present a summary of our results, a comparison 
with the existing work, and a series of open questions. Most of the material described in the 
paper, in particular the results in Section]^ to Section]^ was originally reported in |Ber I3]. 


2. Testing processes 

Let Act be a set of actions, ranged over by a, 5, c,... and let r, / be two distinct actions not 
in Act; the first will denote internal unobservable activity while the second will be used to 
report the success of an experiment. To emphasise their distinctness we use Act^ to denote 
the set Act U { r }, and similarly for Act,- /; we use /r to range over the former and A to range 
over the latter. We assume Act has an idempotent complementation function, with a being 
the complement to a. A labelled transition system, LTS, consists of a triple ( P, Act,-/, —>), 
where P is a set of states and —?• C P x Act^- / x P is a transition relation between states 
decorated with labels drawn from the set Act,- /. We use the infix notation p q in place 
of {p, A, q) G —>. An LTS is finite-branching if for all p G P and for all A G Act,-/, the set 

{q \ p <? } is finite. Single transitions p q are extended to sequences of transitions 
p —^ q, where t G (Actr/)*, in the standard manner. For s G (Act/)* we also have the 
standard weak transitions, p q, defined by ignoring the occurrences of rs. Somewhat 
nonstandard is the use of inhnite weak transitions, p =^, for u G (Act)°°. Finally we lift in 
the obvious way the complementation function to both finite and infinite traces, so that, for 
example, s is the complement of s. 

It will be convenient to have a notation for describing LTSs; we use an inhnitary version 
of CCS, |Mil89| . augmented with a success operator, 1. The syntax of the language is 
depicted in Figure!^ We use 0 to denote the empty external sum pi P 2 

for the binary sum 2 } Pi- If is a non-empty set, we use to denote the 

sum Yliei 'T-Pi- For the remainder of the paper we use the LTS whose states are the terms in 

CCS and where the relations p q are the least ones determined by the (standard) rules 
in Figure We use finite branching CCS to refer to the LTS whose states are terms from 
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p,q,r ::= 1 | ^ | p.p \ '^Pi 

iei 

where / is a countable index set, and A ranges over a set of definitional constants each of 

which has an associated definition A '=^ pA- 

Figure 1: Syntax of infinitary CCS. 


1 ^0 


(a-Ok) 


(a-Pre) 


p.p —;■ p 


A / 
p -> p 

p + q —>p 


(r-Ext-l) 


A / 

Q —> Q 

p + q —^ q 


(r-Ext-r) 


def . ^ , 

-- A = p] (r-Const) 

A —)• p' 


Figure 2 : The operational semantics of CCS 


II V / I I 

q\\p —> q \\p 


(p-Left) 


A / 
p - >p 


II V II / 

q\\p —> qWp 


(p-Right) 


q —>q p 


P 


II . / 11 / 

qWp —> q \\p 


(p-Synch) 


Figure 3: The operational semantics of contract composition 


CCS which generate finite branching structures. These are the ps in CCS such that the set 
{q \ p I? } is finite. 

To model the interactions that take place between the server and the client contracts, 
we introduce a binary composition of contracts, p || r, whose operational semantics is in 
Figure ([^. 

A computation consists of series of r actions of the form 

p II T = po Iko ^ Pi II n ^ ... ^ Pfc II Tfc -4 ... (2.1) 


It is maximal if it is infinite, or whenever p„ || is the last state then p„ || A 

computation may be viewed as two processes p, r, one a server and the other a client, 
co-operating to achieve indiv idual goals, which may or may not be independent. We say 
that the computation in ( 2 . 1 ) is client-successful if there exists some k >0 such that 

It is successful if it is client-successful and there exists an Z > 0 such that pi —k. in a 
client-successful computation the client can report success while in a successful computation 
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both the client and the server can report success; note however that they are not required 
to do so at the same time. 

Definition 2.1 ( Passing tests ). We write p must r if every maximal computation from 
p II r is client-successful. We write p must^^P r if every such computation is successful. 

Intuitively, p must r means that the client r is satisfied by the server p, as r always 
reaches a state where it can report success. On the other hand, p must^^P r means that p 
passes r and r also passes p; so p and r have to collaborate in order to pass each other. This 
is why when using the testing relation must^^P we think of p and r as two peers rather than 
a server and a client. 

Definition 2.2 ( Testing preorders ). In an arbitrary LTS we write 

(1) Pi p 2 if for every r, pi must r implies p 2 must r 

(2) ri r 2 if for every p, p must ri implies p must r 2 

(3) Pi ~p 2 p P 2 if for every r, pi mustP^P r implies p 2 musfP^P r. 

We use the obvious notation for the kernel of these preorders; for instance pi ~p 2 p P 2 means 
that Pi £p 2 p P 2 and p 2 £p 2 p Pi. 

The preorder ig meant to compare servers, as pi £ 5 ^,. p 2 ensures that all the clients 
passed (wrt must) by pi are passed also by p 2 . The preorder relates processes seen as 
clients, because ri ^2 means that all the servers that satisfy ri satisfy also r 2 . The third 
preorder, £p 2 p, relates processes seen as peers; this follows from the fact that p mustP^P r is 
true only if p and r mutually satisfy each other. 

3. Semantic characterisations 

The standard (must) testing preorder from |NH84[ IHen 88 j has been characterised for finite- 
branching LTSs using two behavioural predicates. The first, p |ls, says that p can never 
come across a divergent residual while executing the sequence of actions s G Act*. We use 
the notation p 1 . 1 , p converges, to mean that there is no infinite sequence 

T T T T 

p —Pi —^... —>pk —^ ... 

Then the general convergence predicate is defined inductively as follows: 

(a) p Ij-e whenever p IJ. 

(b) p Ij-as whenever 

( 1 ) p IJ. and 

( 2 ) if p then 0 (p after a) Ij-s 

where (p after s) denotes the set {p^ | p p' }. Note that p ensures that (p after a) is 
non-empty; thus 0 (p after a) consists of the choice between the elements of the non-empty 
set (p after a), which may in general be infinite. 

The second predicate codifies the possible deadlocks which may occur when a process p 
attempts to execute the (weak) trace of actions s G Act*: 

Acc(p,s) = {5(g) I p^ g (3.1) 

where 5(g) = { o G Act | g } is the set of actions performed strongly by g. The sets 5(g) 
are called ready sets, while we say that Acc(p, s) is the acceptance set of p after a trace s. 
Ready sets are essentially the complements of the refusal sets used in |Hoa85] . The sets in 
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Acc(p, s) describe the interactions that can lead p out of a possible deadlock, reached by 
executing the trace s of external actions. 


Theorem 3.1. |DH87l IHen 88 j In finite branching CCS, p q if and only if, for every 
s G Act*, if p then 

(i) g-lls, 

(ii) for every B G Acc(q, s) there exists some A G Acc(p, s) such that A <Z B. 


As might be expected, the behavioural properties used in Theorem 3.1 do not characterise 
the preorder 


~clf 


Counterexample 3.2. We prove that ri £ , r 2 does not imply that ri and r 2 satisfy the 


requirements of Theorem 3.1 

One can prove that n r 2 , where ri,r 2 denote b.a. 1 and b.{c.O + 1) respectively. Now 
consider the singleton trace b; obviously r^ lj.6 for i = 1,2. However calculations show that 
{ c} G Acc(r 2 , b) and that Acc(ri, 6 ) = { { a } }. So there is no set A in Acc(ri, b) satisfying 
AC{c}. 


Our intention is to provide a behavioural characterisation of the client preorder 
and later the peer preorder, along the lines of the characterisation of the server preorder 
given in Theorem |3.1[ This will require the elaboration of new behavioural predicates which 
capture behaviour relevant to clients. Or approach is incremental. To motivate the role of 
these new predicates we first define two tentative “bad” characterisations of In a series 
of examples we show the problems which arise with these characterisations, and which will 
motivate the necessity for our new client oriented behavioural predicates. These are then 

to give the behavioural characterisation of 


3.10 


collated in Definition 

Some additional notation is in order. In Example |3 . 2| there is no need to require that the 
ready set { c} G Acc{q, b) be matched by one in Acc(6.a.1, b), because q can report success 
immediately after performing b. Intuitively ready sets need only be matched when success 
has not yet been reported. In order to capture this intuition we use the following predicate. 
For every s G Act* let p =^/q be the least relation satisfying 

(a) p implies p 

g 'C 

(b) if p' and p then 

a I . ,. as 

• p —> p implies p =^/q 

• p p' implies p 

Intuitively, p =^/q means that p can perform the sequence of external actions s ending up in 
state q without passing through any state which can report success; in particular neither p nor 
q can report success. This notation is extended to infinite traces, u G Act°°, by letting p 

whenever there exists a t G (ActT-)°° such that t = pip2 • • •, (a) p = po Pi P2 ■ ■ ■ 
/ 

implies that pi for every pj, and (b) for every n G N there exists a fe G N such that, 
Un = {tk)\T] where {t)\j- is the string obtained removing the rs from t. 


Definition 3.3. For every process p and trace s G Act*, let 

Acc/(p, s) = {S{q) I p } 

We call the set Acc/(p, s) the unsuccessful acceptance set of p after s. 
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Our first attempt at adapting the characterisation for servers in Theorem 3.1 to clients 
is as follows; 

Definition 3.4. Let ri ^bad ^’2 if for every s G Act*, if ri Ij-s then (i) r 2 JJ-s, and (ii) for 
every B G Acc/(r 2 , s), there exists some A G Acc/(ri, s) such that A C B. 

Counterexample 3.5. In this counterexample we show that the relation ^bad is not complete 
wrt. that is 


2 ^bad- One can show that r £ c.a.1 where r denotes the client 


c.{a.1 + 6.0). However r and c.a.1 are not related by the proposed ^bad Definition 3-4 


Obviously r l|c and { a } G Acc^{c.a. 1, c). But there is no A € Acc/ (r, c) sueh that A C {a}; 
this is because Acc ^{r,c) = {{a, 6 }}; thus r ^^bad c.a.1. 

The problem is the presence of b in the ready set of a.1 + 6.0. 

Intuitively, in the previous example the action 6 is unusable for r after having performed 
the unsuccessful trace c; this is because performing 6 leads to a client, 0 , which is unusable, 
in the sense that it can never be satisfied by any server. When comparing ready sets after 


unsuccessful traces in Definition 3.4 we should ignore occurrences of unusable actions. 

Let Uc\t = {r \ p must r, for some server p}. The set 6/clt contains the usable clients, 
those satisfied by at least one server. We also need to consider the residuals of a client r 
only after unsuccessful traces (see Counterexample |3.8[ ) : for any process r and s G Act* let 

(r after/ s) = {q \ r } (3.2) 

The usability of a client, then, is parametrised over traces: for every s G Act*, the client 
usability along an unsuccessful trace s, denoted usbl/ s, is defined by induction on s: 

(a) r usbl/ e whenever r G 6/clt 

(b) r usbl/ as whenever 

(1) r G Uc\t and 

(2) if r =^/ then 0(r after/ a) usbl/ s 

The predicate usbl/ is extended to infinite traces u G Act°° in the obvious manner. Intuitively 
r usbl/ s means that any state reachable from r by performing any subsequence of s is 
usable. Note that only unsuccessful traces have to be taken into the account, and also that 
the definitions of the predicates and usbl/ have the same structure. 

Definition 3.6. The set of usable actions for a client r after the trace s is defined as 

uacit(r’, s) = {a G Act | r =^/ implies r usbl/ so} 

Now we define a second tentative characterisation of denoted replacing in 


^ bad ’ 


Definition |3.4| the set inclusion A Q B with the more relaxed condition 

A n uacit(n) s) T B 


(3.3) 


Example 3.7. We revisit Counterexample 3.5. and prove that r ^(, 3 ^ c.a.1, thereby correctly 
reflecting the fact that r c.a. 1 and improving on ^bad- 

Let us see why r c.a.1. Recall that Acc/(r, e) = {{c, 6}}, and observe that the 

action 6 is not in uac-it(r, c) because r =^/ and r i/sbl/ cb. The last fact is true because 
(r after/ cb) is the singleton set { 0}, and 0 is not inUc\t. Instead we have uacit(r’, c) = { oj, 
and so the inclusion in Eq. {3.^ used to define is satisfied by the ready sets at hand, 
because 


thus r c.a. 1. 


{a, 6 }n{a} C {oj 
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Before critiquing the second attempted chaaracterisation, point out that in 

the definition of usbl^ it is necessary to consider only unsuccesful traces. 

Counterexample 3.8. In this counter example we prove that if in the definition o/usbly^ 
above we consider all the traces rather than only the unsuccessful ones, then the relation 
is not sound wrt that is ^[, 3 ^ ^ £cif 

Consider the client r = b.(T.{1 + a.O) + T.a.T.1). First note that b.a.O must r while 
b.a.O t;hust b.O and therefore r b.O. 

Suppose that usbl^ was defined using =i> and after in place of and after^. We 

prove that r b.O. 

The set (r after ba) is {0,1}, so 0(r after ba) is the client t.O + t. 1, which is 
not inUc\t. This implies that uacit(T, contains only actions not performed by r after b, 


therefore any ready set B G Acc^(6.0, 6) can he matched according to Eq. (3.3) by the ready 
set { a } G Acc^(r, b), because A n ua<-it(r, b) = 0. From this r b.O follows. 

However with the correct definition of usbl^ this reasoning no longer works because 

uacit(A&) = {a}- 

Unfortunately, as might be expected, the relation is still not sufficient to obtain a 
complete characterisation of the client preorder; one more adjustment is required. 


Counterexample 3.9. Here we prove that the relation ^(, 3 ^ is not complete wrt 
Consider the clients ri = a.{h.d.O + b.1) and r 2 = a.c.d.1. As ri is not usable ri r 2 , 
although ri r 2 . To see this first note { d} G Acc/(r 2 , ac), and ri fiac, although ri can 
not actually perform the sequence of actions ac; ri IJ-ac merely says that if ri can perform 
any prefix of the sequence ac to reach r' then r' must converge. Since ri can not perform the 
sequence of actions ac, Acc/(ri, ac) is empty; thus no ready set B can be found to match 
the ready set { d }. 

To fix the problem highlighted in Example |3.9| we need to reconsider when ready sets are 
to be matched. In Definition |3.4| this matching is moderated by the predicate IJ-s; for example 
a.{T°° + 6.1) ^bad a.c.d.1, where t°° denotes some process which does not converge. This is 
because a.(r°° + 6.1) l|a is false and therefore the ready set {c} G Acc/{a.c.d.1, a) does 
not have to be matched by a.{T°° + 6.1). However the client preorder is largely impervious 
to convergence/divergence. For example 1 ~cit (1 +t°°). 

It turns out that we have to moderate the matching of ready sets, not via the convergence 
predicate, but instead via usability. One can show that if ri r 2 and ri usbl^ s then 
r 2 usbl^ s. In fact this predicate describes precisely when we expect ready sets of clients to 
be compared. 


Definition 3.10 ( Semantic client-preorder ). In any LTS, let ri ;^c-it ^2 if 
(1) for every s G Act* such that ri usbl / s, 

(a) r 2 usbl / s, 

(b) for every B G Acc/(r 2 ,s) there exists some A G Acc/(ri,s) such that 

A n uacit(n, s) F B 


(2) for every w G Act* U Act°° 


such that ri usbl^ w, r 2 


W 



implies ri 


W 



Example 3.11. Let us revisit the clients ri, r 2 , in Counterexample \3.S\ The client 6.d.0-|- 
6.7 is not usable, that is 6.d.0+ b.1 ^ 6/clt, because it cannot be satisfied by any server. 
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O 



Figure 4: Infinite traces 


Consequently ri usbl ^ ac does not hold, and therefore when checking whether ri ;^cit i ’2 holds 
the ready set { d } G Acc/(r 2 , ac) does not have to be matched by ri. 

Indeed it is now straightforward to check that ri ;^cit i’ 2 ;' ihe only s G Act* for which 
Acc/(r 2 ,s) is non-empty and ri usbl/ s is the empty sequence s. 

In passing let us note that in general, and in particular in LTSs which are not finite 


does not follow from the condition on finite computations. 

Example 3.12. Consider the process q from Figure^ where denotes a process which 
performs a sequence of k a actions followed by 1. Let p be a similar process, but without the 
self loop. Then p usbl/ s and q usbl/ s for every s, and the pair {p,q) satisfies condition (1) 
o/;icit, and condition (2) on finite ws. However condition (2) on infinite ws is not satisfied: 

u “ 

if u denotes the infinite sequence of as then q =►/ but p = 7 ^/. 

In fact p ^^ 1 ^ q. For consider the proeess A = a.A. When p is run as a test on A, or as 
a client using the server A, every computation is finite and successful; A must p. However 
when q is run as a test, there is the possibility of an infinite computation, the indefinite 
synchronisation on a, which is not successful; A n/ust q. 


branching, the condition on the existence of infinite computations in (2) of Definition 3.10 


Theorem 3.13. In CCS, ri r 2 if and only if ri ;:^cit f' 2 - 

Proof. It follows from Theorem 4.6 and Theorem 4.10 of Section]^ □ 

The server-preorder can be characterised behaviourally in manner dual to that of 
Definition 3.10 using the set of usable servers Usvr = {p \ p must r, for some client r }, the 
usable actions 

uasvr(p, s) = { a G Act | p implies p usbl sa } 
and the server convergence predicate p f|svr s, defined as the conjunction of p and a 
server usability predicate p usbl s. This latter predicate is defined inductively in a manner 
similar to usbl/ s, but over all traces s, rather than simply the unsuccessful ones. 


Definition 3.14 ( Semantic server-preorder ). In any LTS, let p ;^svr q if 

(1) for every s G Act* such that p JJ-svr s, 

(a) q IJ-syr s, 

(b) for every B G Acc{q, s) there exists some A G Acc(p, s) such that 

A n uasvr(j>, s) C, B 

(2) for every w G Act* U Act°° such that p JJ-svr w, q implies p 


Theorem 3.15. In CCS, p q if and only if p ;^svr Q- 
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Proof. The standard argument of |Hen88j suffices, but for the condition on infinite traces, 
which we prove here. 

Let u = 010203 ..., and Cn = t.1 + cin-Cn+i for every n G N. No Cn is successful, 
so the infinite computation of Cq || P 2 due to the trace u proves that p 2 i;hust Cq. The 

U 

hypothesis pi p2 implies that pi i/iust Cq. For a contradiction, suppose that pi 
The assumption pi J|svr u implies pi which in turn lets us prove that all the maximal 
computations of Cq || pi are client-successful. But this is not possible, as pi i/iust Cq. It 
follows that Pi =t>. □ 


Theorem 3.15 is a generalisation of Theorem 3.1, as the server usability predicate ZYsvr is 


degenerate: it holds for every process, since any process used as a server trivially satisfies 
the degenerate client 1. 


Let us now consider the peer preorder. The following result is hopeful: 

Proposition 3.16. In CCS, ri £p 2 p ^2 implies n r 2 . 

Proof. First note that using Theorem (3.15) one can prove that 1 + p £ 5 ^,. p and that 
P £svr '' + P- 

Now suppose that p must ri; it follows that 1 + p must ri, and so 1 + p must^^^ ri 
because 1 -|- p is trivially satisfied. The hypothesis imply that 1 + p mustP^f r 2 , thus 
1 -|- p must r 2 . In turn this ensures that p must r 2 . □ 


Unfortunately, the peer preorder is not contained in the server preorder: 

Example 3.17. It is easy to see that a.O £p 2 p b.O. This is true because a.O can never be 
satisfied, for it offers no / at all. However, a.O b.O, as the client a. 1 is satisfied by a.O, 
whereas b.O i;hust a. 1. 


Intuitively, the reason why £p 2 p 2 Egvr server preorder does not reflect 

the factthat servers should now act as peers; that is they should also be satisfied by their 
interactions with clients. To take this into account we introduce the usability of peers 
and amend the definition of ;^svr accordingly. In principle we should introduce the set of 
usable peers, llp2p = {p | p must^^P r for some peer r }. However, since llp2p turns out to 
coincide with ^clt, instead we define the peer convergence predicate by using the usability 
predicate of clients. For every w G Act* U Act°°, let p JJ.p 2 p w whenever p and p usbly^ w. 

Definition 3.18. Let p ^usvr Q whenever 
(1) for every s G Act*, if p JJ.p 2 p s then 

(a) qlfs, 

(b) for every B G Acc{q, s) there exists some A G Acc(p, s) such that 


A n uacit(p, s) C B 

(2) for every w G Act* U Act°°, if p JJ.p 2 p w, and q =>, then p 

Definition 3.19 ( Semantic peer-preorder ). Let p ;^p 2 p g if p ;:^cit Q and p ;:^Msvr Q- 


Note that the definition of p ;^p 2 p q is not simply the conjunction of the client and server 
preorders from Definition 3.10 and Definition 3.14 It is essential that the usable set of peers 
Up2p be employed. 


Theorem 3.20. In CCS, p £p 2 p q if and only if p ;^p 2 p q. 

Proof. See Section □ 
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4. Characterising the client behaviour 
This section is devoted to the proof of behavioural characterisation of the client preorder, 


Theorem 3.13 For convenience it is divided into three subsections. The first gathers some 
preliminary technical properties of the various predicates used in the characterisation; the 
second is devoted to soundness and the final one to completeness. 


4.1. Preliminaries. Here we collect some technical results on the interplay between the 
testing predicate p must r and the client and action usability predicates. The two corollaries 
below are the main results of the section. 

Lemma 4.1. Suppose p must r where p q. Then r =^/r' implies q must rh 

Proof. Straightforward as any maximal computation from q \\ r' can be prefixed by an 


unsuccessful sequence of reduction steps to obtain a maximal computation from p \ \ r. 
Corollary 4.2. Suppose p must r where p q. Then r usbl^ s. 


□ 


Proof. By induction on s. If s is the empty sequence e then the result is immediate, as 

p must r ensures that r G Uc\t. So assume s has the form b.t and r =^/. We have to show 
that 0 (r after,^ a) usbl,^ t. _ 

Let p pb =s> q. By Lemma 4.1 we know pb must r' whenever r =^^r'. This in turn 
means that pa must 0(r after^ a). Now apply induction. □ 


Proposition 4.3. Suppose p must r and p q. Then r 


r” implies q must r". 


Proof. Suppose that p q and that r =^/ r". We prove q n/ust r" implies p n/ust r. 


Since q n/ust r' there must exist a maximal unsuccessful computation from 


W u W u T . II//''", 

q\\r = go 11 ^ 11 —> q 2 

/ / 
such that r'f for every fc > 0. In particular r" 0A. 


(4.1) 


The two derivations p 
computation 

p\\r = po 
/ 

Moreover here r* for every 0 < i < n 


q and r 

\rQ ^ Pi \\ri 


r" can be zipped together to obtain a 


.. .Pn\\rn = q 


(4.2) 


Now the computation in (4.2) can be continued using the one in ( |4.l[ ), leading to a 
maximal computation from p || r which is unsuccessful. It follows that p n/ust r. 

□ 

Corollary 4.4. Suppose p must r where p q and r r' —^ r”. Then a G uacit(r’, s). 


Proof. If r then by Definition 


3.6 


a G uacit(?’, s). If r =^/, then we have to prove 
re previous proposition and induction on s. 


that r usbl / sa] the argument relies on t 

If s is empty then 0(r aftery^ a) usbiy- s because of the previous proposition. 

If s = bt, then p p' q. An application of the previous proposition to p p' 
ensures that p' must r" for every r" G (r after^ 6 ), so p' must 0(r after,/ b). As p' =^, 
induction implies that 0(?' after,/ b) usbl,/ ta. □ 
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Usability ensures that even when a client diverges, it can report success. 


Lemma 4.5. If r € Uc\t and r fl', then for every infinite reduction sequence r = rg —)• 
ri —^ r 2 r^ —^ there exists an n £N such that Vn — 

Proof. As r G hlc\t there exists a server p such that p must r. Fix a divergent computation 
of r, and zip it with p, 


p \ \ r = p \ \ ro 


p 11 ri 


The computation must be client-successful, so 


P\\r2 —^ . •. 

> for some n G N. 


□ 


4.2. Soundness. Here we prove that the behavioural preorder in Definition 3. 10| provides a 
sufficient set of conditions to capture the client-preorder. It is difficult to break the proof 
into a series of manageable independent results; instead we have one long monolithic proof. 

Theorem 4.6 (Soundness client preorder). ri ;:^cit i ’2 implies ri ^ 2 - 

Proof. Fix a pair ri ;^cit f' 2 , and let p must ri; we have to show that all the maximal compu¬ 
tations of the composition r 2 11 p are client-successful. The argument is by contradiction, in 
that we show that if a maximal computation of p 11 r 2 is not client-successful, then also p 11 ri 
performs a non client-successful computation, so p n/ust ri. 

Fix a maximal computation from p || r 2 . 


p 11 r2 = p 


0 


p 


P 


P 


(4.3) 


The computation in (4.3) is finite or infinite. We discuss the two cases separately. 


Suppose that the computation is finite, and unzip it; the resulting contributions of p 
and r 2 are 


T2 


'25 


p 


p 


for some s G Act*, and stable p^ || r^. The hypothesis p must ri, p =^, and Corollary 


4.2 


imply that ri usbly^ s. Suppose that the computation in (4.3) is not client-successful, so 

no state in the contribution of r 2 reports succes s. It follows r 2 =^/i' 2 ) 

G Acc^(r 2 ,s); so part (lb) of Definition 


3.10 


S{r. 

some A such that An uacit(Ti,s) C ^(r^). Definition 


implies that A G Acc^(ri,s), for 
implies that there exists a 


3.3 


such that 5'(r'^) = A and n 


Zipping together the contributions along s of p 


and ri, the resulting computation reaches the state pk || if this state is stable, then 
the computation is maximal and not client-successful, so p i/iust ri. This contradicts our 
assumption that p must ri. 

So it remains to show that pk \ \ r'^ is stable. Suppose, for a contradiction, that pk —^ 
and r']^ — t hat is c G A, for some action c. This situation matches the assumptions in 
exactly, which gives that c G uacit(ri,s). Since An uacit(Ti,s) C ^(r^) this in 
>, which contradicts the assumption that p 


4.4 


Corollary 
turn means that 


r 2 is stable. 


We have discussed when the computation in (4.3) above is finite. Now let us suppose 
that it is infinite. As before unzip it. 

Either p and r 2 perform infinite traces, or they perform finite traces and then (at least) 
one of them diverge. 
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If we are in the first case, then 


r2 


P 


The assumption p must ri, the fact that p =>, and Corollary ^ applied to every prefix of u, 
imply that ri usbly^ u. The proof that there is a successful term in r 2 is by contradiction; 


for suppose that r 2 =^/; then part (2) of Definition 


3.10 


implies that ri ^. By 

zipping ri =^/ with p we obtain a maximal computation of p || ri which is not 
client-successful; this implies that p n/ust ri, which contradicts our original assumption 
on p. 

Suppose now that p and r 2 engage in a finite trace and then there is a divergence; by 


unzipping the computation in (4.3) we get the contributions 


r2 


' 2 ) 


p 


p 


The assumption p must ri, the fact that p =^, and Corollary 
Either p^ diverges or rf diverges, or both diverge. 


4.2 


imply that ri usbl^ s. 


Suppose that pk diverges. To prove that the computation in (4.3) is client-successful 


we reason by contradiction: suppose that there is no successful state among r 2 ,..., ; this 

implies that r 2 performs the trace s unsuccessfully. 


r2 


Part (2) of Definition 3.10 ensures that ri =^^r[. We zip the contribution of p with the 


unsuccessful transition of ri; as pk diverges the resulting computation is maximal, 

p\\ri Pk 11 r[ pk\\r[=^ ... 


^... (4.4) 

All the derivatives of ri in the maximal computation above are in ri =^^r[, so they are 


not successful. It follows that the computation in (4.4) is not client-successful. However this 
contradicts the assumption p must ri. 

Finally suppose that diverges. If there is a successful state in r 2 then the 

maximal computation we unzipped is client-successful. Therefore suppose that there is no 
successful state in the contribution of r 2 , that is r 2 =^/!’ 2 - D usbl^ s, part (la) of 


Definition 
So an app 


3.10 


implies that r 2 usbl^ s. Now one can show that this implies that usbly^ s. 


ication of Lemma 4.5 ensures that the unzipped computation is client-successful. 

□ 


4.3. Completeness. Here we show the converse of Theorem 4.6, which involves showing 
that the testing preorder ri r 2 implies the collection of properties gathered together in 
Definition 3.10 These in turn are quantified over all sequences s G Act* and w G Act°°; we 


handle this quantification using induction over the length of s. First a technical lemma. 


Lemma 4.7. Suppose r G ^clt. Then 0 n/ust r if and only if r /r' for some 
elient r'. 


Proof. One direction is straightforward. For the converse suppose 0 i/iust r; we have to show 

g T 

that there exists some r' satisfying r =^^r' 
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Since 0 t;i^ust r there must exist some unsuccessful maximal computation 

0 11 r = 0 11 ro 0 11 rfe —^ ... (4.5) 

Suppose this is infinite. Then p must r can not be true for any server p, as 0 can be 
replaced in (4.5) by any p, to obtain an unsuccessful maximal computation from p || r. This 
contradicts the assumption that r G Uc\t. 

So (4.5) has to be finite, with terminal element 0 || r„. The required r' is r„. D 

Proposition 4.8. Suppose n r 2 where ri G ^clt. 

(1) If r2 =^/ then n 

(2) for every B G Acc/{r 2 ,e) there exists some set A G Acc^{ri,£) such that 

A n uacit(n, s) C B 

( 3 ) ifr 2 =^/ then 0 (ri after/ a) 0 (r 2 after/ a). 

Proof. Throughout let pi be a server such that pi must ri. 

(1) Let p = Pi + a.T°°. As p diverges after the interaction on a, and r 2 performs a without 
reaching successful states, p i;hust r 2 . The hypothesis implies p t/iust ri. In turn this 
ensures that ri =^/, for otherwise the assumption on pi would imply that p must ri. 

(2) Let Acc/(ri,e) be denoted by { Aj | f G / }, for some index set I. Note that I may 
be empty, or indeed infinite. For convenience we use U to denote the set uacit(ri,e). 
Suppose, for a contradiction, that there exists some B G Acc/(r 2 ,e) such that 

for every f G / there exists some action a* G (Aj n U)\B (4.6) 

We will eventually show that this assumption contradicts the hypothesis that ri r 2 . 
But first we show that it implies that the index set I is non-empty. The existence 
of B ensures that Acc/(r 2 ,e) is not empty; that is there exists a client such that 

^ T 

Thus Lemma 4.7 implies that 0 (bust r 2 . As ri r 2 , 0 i/iust ri, and 


T2 


another application of Lemma 4.7 ensures that I is not empty. 

For each i G / let Di denote the set { r' | ri r '}; because Oi € U each of 

these sets are non-empty. We also know, again because a, G U, that for every i G / 

there is some server pi satisfying pi must r' fo r every r' G D^. This is true because 
/ 


ensures that there exists a pi such that 


/ 


either r' —)• for every P € Di, or Definition 3.6 

/ 

Pi must 0{ P € Di I P 0A }. Plainly pi must P for every P G Di such that P —)>, so 
the server pi indeed satisfies all the clients in Di. 

di 

Let J = {z G / I ri }; this subset of I contains the indices of all the actions a* 
which ri can perform weakly while passing through a successful state. Now let p denote 
the server 

~ai.pi A- y^ Oj.O 
iGl\J j&J 

To establish the contradiction to ri r 2 , it remains to show that p t;hust r 2 and 
p must ri. 

(a) p i;hust r 2 . A finite unsuccessful maximal computation is ensured by the existence 
of B in Acc/(r 2 ,e), and the assumption (4.6) above. 
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(b) To prove that p must ri is a little delicate. Consider a maximal computation 


K.0 


.,0 


p 11 ri = 11 —)• .. .p^ II ... (4-7) 

If the server p remains untouched then the same sequence of clients can be used 
to construct a maximal computation from pi || ri; so some must report success. 
On the other hand suppose p is touched. For example p^ is p while is 0 or pi 
for some i ^ I. If no , for j < k, reports success then £ Di, f rom which 
Pi must follows, and indeed equals pi. This means again that (4.7) above 
is successful. 

(3) For convenience let r* denote 0(ri after^ a), for i = 1,2. Suppose p must ri. Then 
one can argue that pi + a.p must ri. Since ri ^2 this ensures that pi + a.p must r 2 . 
From this it is easy to see that p must r' for every r' in the non-empty set r 2 after^ a. 
Now the required result, p must f 2 , follows. D 

We note in passing that the first part of this proposition depends on the possibility of 
processses diverging. In the absence of divergence, that is if we confine our attention to 
both servers and clients which can never diverge, one can prove that a.1 a.r.l; see 
Example 4.2.26 in |Berl3| . This inequation would provide a counter example to part (1) of 


Proposition 


4.8 


for a.r.l =^/, whereas a.1 =^/. 


The property involving infinite sequences in Definition 3.10 does not follow from point (Q 
of Proposition |4.8[ and requires an additional argument. 

Lemma 4.9. Suppose ri r 2 . Ifri usbl / u and r 2 =>/; where u G Act°°, then ri =^/. 

To show that ri =^/ we have to exhibit a t G Act“ such that 


Proof. Let u = aia 2 a 3 
t = ■ ■ ■ and 


0 

ri = —> 


1 ^ 
ri ^ 

• for every n gN, Un = {tk)\T for some A; G N 

/ 

• for every n G N, r” 

The hypothesis ri usbly^ u ensures that for every Uk there is a pk such that pk must 
0(ri after/ Uk). For every /c G N, let Ak '^= Pk + hk+i-Ak+i- 

By zipping r2 with Aq one sees that Aq i/iust r 2 , for the client r2 does not 

report success. In turn Aq i/iust ri, so there exists a maximal computation of ri || Aq which 
is not client-successful. Given the construction of the A’s and the Pk’s, this is possible only 
if the computation is due to the infinite trace u. So ri , which ensures the first two 


.2 iW 
1 ^ 


properties above. As the computation is unsuccessful, r\ for every i G N. 

We have now gathered sufficient material to give the proof of completeness. 
Theorem 4.10 (Completeness), n r 2 implies ri ;^cit f 2 . 


□ 


Proof. We have to infer all the properties used in Definition 3.10 The property (2) for 
w G Act°° follows directly from the preceding lemma. All other properties are parametrised 
on s G Act*; they can be inferred using induction on the length of s, and Proposition |4.8[ 
Here we give one example, and the remaining ones can be established in a similar manner. 

We show that ri usbl/ s implies r 2 usbl/ s. If s is the empty string this follows 
immediately. So suppose it has the form bt and ri usbl/ b.t ; we have to prove that 
r 2 usbl/ b.t follows. This requires establishing (a) r 2 G 7/clt, which is a consequence of ri 
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being in Uc\t and (b) if r 2 =^/ then 0 (r 2 aftery- b) usbly- t. So suppose r 2 =^/- But 
by part (3) of Proposition 4.8 we know that 0(ri aftery- h) 0 (r 2 aftery- b). Moreover 
unravelling the assumption ri usbly^ s gives that 0(ri aftery^ b) usbly^ t. The required 
result, 0 (r 2 aftery- b) usbly- t, now follows by induction. □ 


5. Characterising the peer behaviour 

In this section we are concerned with the behavioural characterisation of the peer preorder, 
Theorem (3.20). The material is organised in three subsections, where we respectively 
gather ancillary results, we prove the soundness of the characterisation, and then prove its 
completeness. 


5.1. Preliminaries. 

/ T 

Lemma 5.1. If r € ^clt, then there exists a p such that p must r, p and p 

Proof. Suppose r G Uc\t. This means that there is some pa such that pa must r. As a first 
step in the proof of the lemma we show that 


Pn must r for some pn satisfying pn -f-^ 
The argument proceeds on whether or not pa diverges. 


(5.1) 


(a) Pa diverges: Here pa must r implies that r —)•. It follows that 0 must r; as 0 0A, so 
we can take the required pn to be 0. 

T 

(b) Pa converges: Here let pn be any process satisfying pa Pn and pn 0A; there must 
exist at least one. All maximal computations of pn 11 t are extensions of the initial 
computation Pa\ \ r, which ensures that Pn must r. 

Having established (5.1) above we now complete the proof of the lemma by examining 

/ 

the structure of pn. If Pn 0A we are done. Otherwise, because of the possible structure of 
processes, see Figure]^ pn must take the form p + Yli&i ^ some non-empty set I and p 

/ T T 

such that p 0 ->-; moreover pn ensures that p also. 

It is easy to use Theorem 3.15 to prove that pn ^svr P, since adding 1 to terms has no 
impact on their traces and acceptance sets. It follows that p must r, and so p enjoys all the 
required properties. □ 

The next lemma tells what it means for a process r to be usable along an unsuccessful 
trace s. 


Lemma 5.2. For every process r and trace s, if r usbly^ s then for every s' prefix of s if 
r =^/ there exists a server p such that p must 0 (r after/ s'). 

Proof. As r usbl/ s, p must r for some p. 

We reason by induction on s. In the base case (s = e) observe that p must 0(r after e). 

s' 

In the inductive case let s = as. Fix a prefix s' of s such that r =^/; we have to show 
a server p which must pass 0 (r after/ s'). 

If s' is empty we reason as in the base case. If s' is not empty, then s' = as". Let 
f = 0(r after/ a), since r =^/, the hypothesis r usbl/ s ensures that f usbl/ s. The 
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s'" 

inductive hypothesis ensures that for every s'" prefix of s, if f =^/ then there exists a 
server p such that p must after s"'). Since s" is a prefix of s, the equality 

after s") = after^ s') 

implies that there exists a p such that p must 0(r aftery- s'). □ 

The next result gives a proof method for the predicate Ij-. This proof method is based 
on the convergence of the residuals of processes after traces. 

s' 

Lemma 5.3. If for every s' prefix of s, p p' implies p' Ij-, then p Ij-s. 

Proof. Let us assume that for every s' prehx oi s, p ==> p' implies p' IJ-. The string e is a 
prehx of every string s, so the assumption and p p imply that p JJ-. 

We proceed by induction. As p IJ- the base case is true. In the inductive case s = a.s' 

and either p =/=^ or p =^. In the first case p JJ- a. s' follows, while in the second case 
0(p after a) =^. Induction on s' implies that 0(p after a) JJs', and so p J|a.s'. 

□ 


5.2. Soundness. Our aim in this section is to prove that the peer preorder contains the 


behavioural preorder of Definition 3.19 Roughly speaking, the proof is a combination 


of the standard arguments that show the soundness of the server preorder |Hen88j . with 
the arguments on usability that we used to prove the soundness of the client preorder. 


Theorem 4.6 Much in the same style of Section 4.2, the proof is monolithic. 


Theorem 5.4 (Soundness peer), p ;^p 2 p q implies p £p 2 p I- 

Proof. Fix two processes p and q such that p ;^svr q- We are required to show that p £p 2 p q, 
that is p mustP^P r implies q must^^P r for every process r. Fix a process r such that 
p mustP^P r; we explain why all the maximal computations of (; || r are successful. 

The 


The dehnition of ;:^p 2 p ensures that p ;^cit q, so Theorem 4.6 implies that p q. 


assumption p mustP^P r ensures that r must p, thus r must q. It follows that all the maximal 
computations of 11 r are client-successful, that is q reach a successful state. 

What is left to prove is that the maximal computations of g 11 r contain a state g^ 11 r' 

wherein r' — 

Fix a maximal computation of g || r, 

g II r = go II ro gi || n g 2 || r -2 -0 ... (5.2) 

Unzip the computation above. We obtain the contributions 


for some possibly infinite w. 

The argument now depends on p. Either p ifw or p J^u). 

In the first case p performs a prefix of u), say s, and reaches a state p' that diverges: 
p p' p' .... Zip this diverging trace of p with a prefix of the trace r and 
let p' diverge. The result is an infinite (i.e. maximal) computation of p 11 r that contains a 
successful derivative of r, because p mustP^P r. The successful derivative of r appears also 


in (5.2) above. 
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Suppose now that p JJ-ie. 


The computation in (5.2) above is either finite or infinite. Suppose it is finite. Then the 
contributions are 


Qk, r ^ rk 

Tfc and s = w. The last fact ensures that p JJ-s. Since r 


4.2 


rk-. 


and 


where qk 

p mustP^P r implies r must p, Corollary 

g 

Note that q qk ensures Sicik) £ Acc(q,s). As p usbly^ s and p we know 


guarantees that p usbl^ s. 


P JJ-p 2 p s, so part (lb) of Definition 3.18 implies that there exists a set A G Acc{p, s) such that 
A n uacit(p, s) C S{qk)- In turn this means that there exists a stable p' such that S{p') = A 
and p p'. Consider the computation p || r p' || rk- If the state p' \ \ Vk is stable, then 
the computation is maximal, thus p must^^P r ensures that one of the derivatives of r is 


successful. This derivative appears also in (5.2) above. 

T 

We have to prove that p' \ \ Vk The reasoning here is analogous to the one used in 


Theorem 4.6 to show that the state \ \ Pk is stable, and relies on Corollary 4.2 


Thus far we have proven that if (5.2) above is finite, then r reaches a successful state. 


This is the case also if the computation is infinite. Let us see why. 

Either q and r engage in infinite traces, or (at least) one of them diverge. 

Suppose that the contributions obtained by by unzipping the computation in (5.2) are 
infinite 


q 

with u = w. We have to show that one q 
As r => and p mustP^P r, Corollary 


(5.3) 


f th e derivatives of r is successful. 


4.2 


applied to every finite prefix of u impl ies that 
p usbl ^ u. As p l|u it follows that p U.p 2 p u. Since q =4>, part (2) of Definition 3. 18| implies 

that p =t>. Zip this infinite trace of p with r =^. The resulting computation of p || r is 
infinite as well, so the assumption p mustP^P r ensures that r reaches a successful state. This 


state appears in (5.2) above. 


Now we discuss the case of (5.2) being due to finite traces and divergence of q or r. To 


unzip (5.2) gives the following contributions. 


qk, 


rk 


with w = s. Note that p J|s. The fact that r implies p usbly^ s, so p lj-p 2 p s. Part (la) 

of Definition |3. 18 implies t hat a JJ-s, so the divergent process must be r^. 


Part (2) of Definition |3.18 
of p with the trace r 


q =>, and p JJ.p 2 p s imply that p 


Zipping this trace 


> Tfc, and let diverge. The resulting computation of p || r is 
infinite, so one of the derivatives of r in it is successful; this i s tru e because of the assumption 
p musfP^P r. This successful derivative of r appears also in (5.2) above. D 


5.3. Completeness. This section contains the proof that the behavioural characterisation 
given in Definition |3.19 is complete with respect to the peer preorder. This result is the 


converse inclusion of Theorem 15.4 


In view of Proposition 3.16, the bulk of the work is to prove that the peer preorder is 
contained in the behavioural preorder ;^,isvr, Proposition 5.10 
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In SectionHwe have proven a similar result for the client preorder and its characterisation, 
Theorem |3.13[ Our reasoning there is inductive, and relies on the property proven in part 
(3) of Proposition |4.8| That property is not true for the peer preorder and traces, so here 
we will reason using techniques analogous to the standard ones of |Hen 88 ] . 

Example 5.5. It is not true that if p £p 2 p q and q for some action a, then 0(p after 
a) £p 2 p ®{q after a). An example are the peersp = a.1 and q = 1 + a.O. First, the inequality 
p £p 2 p q is true, because the peers p and q engage exactly in the same interactions, and the 

latter is trivially satisfied (i.e. q Second, 0(p after a) = t.1 and 0((? after a) = t.O. 

A peer that witnesses r. 1 ^p 2 p t.O is 1, for r. 1 mustP^P 1, while t.O (hustP^P 1 . 

The remaining part of the section essentially shows what properties typical of server 
behaviours are enjoyed by peers. During unsuccessful execution of traces, peers behave at 
the same time as clients and servers, whereas after reporting success they behave only as 
servers. The tests that we will use in the oncoming proofs witness this intuition, for they 
are a combination of the tests used to reason on the client and on the server behaviours. 

Lemma 5.6. if p q ^ p Jj.p 2 p g, and q q', then q' 1|. 

Proof. It is enough to show a peer C such that q mustP^P C and C =^/C, for some C. 
These facts imply that if q q' then q' IJ.. This is true for otherwise there exists a maximal 
computation oi q\ \ C which is not successful, namely 

q\\ C ^ (f \\ C ^ q^ \\ C ^ q^ \\ C ^ ... 

As q mustP^P C follows from p mustP^P C, we define C and prove the latter fact. Let 

s' 

s = 0102 ... an and let s' be the longest prefix of s such that p =^/. The precise dehnition 
of C depends on the existence of s', so we treat the two cases separately. 


Suppose s' does not exist. In this case p For every 0 < k < n, let 

„ (tef j (r.1 ) + Ok+i-Ck+i AO < k <n 
^ I r.1 ifA: = n+ l 

The reason why p must Cq, is that p fj-s. This follows from p JJ-p 2 p s, and ensures that all 
the maximal computations of Cq \ \ p contain a stable state C' || p'. As Cq C' for some 
s' is a prefix of s, the definition of the Cfs ensures that C' — 

Since p —^ we also know that C must p, and so p mustP^P C. The hypothesis p £p 2 p q 
implies that q mustP^P C. 


Suppose s' exists. In this case p 



for some s'; let s' = 0102 ... Om, with m < n. 


For 


every 0 < j < m the assumption p =^/ ensures that p 
every 0 < j < m there exists a rj such that 



. Lemma 


5.2 


ensures that for 


rj must 


0(P after/ sj) 


(5.4) 
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For every 0 < A; < n + 1 let 

{'T-i'f'k + "I ) ) + “fc+l-C'fc+l 


Ck "= 


(r.1 ) + afc+i.Cfc+i 

T.{fn + 1 ) 

r.1 

We prove that p mustP^P Cq. Fix a maximal computation of p || Cq, 

^ pMI ^ II G 


if 0 < /c < m 
if m < /c < n 
if A: = n +1, m = n 
if A; = n +1, m<n 


Cq the peer 


p\\Co=p II Go —>p II Co —>p II Co —(5.5) 
Intuitively, if one of the + 1 ’s appears in the computation, then there is a state p^ \ \ Cq 
with Cq = r j + 1 • The pee r Cp reaches a successful state (namely Cq itself). As for p, either 

p^ —^ for some j < k, or (5.4) above ensures that in the computation of p^ 
p^ reaches a successful state. 

If no rfc + 1 appears in the computation then the convergence oi p, p s, ensures 
that Cq reaches 1. Moreover the construction of the C^’s and the r^’s imply that p reaches 
a successful state in the computation. 

□ 

Corollary 5.7. if p £p 2 p q and p JJ.p 2 p s, then q IJ-s. 

Proof. For every s' prefix of s, the hypothesis imply that p JJ-p 2 p s' and that q q', so 
Lemma 5.6 ensures that q' U-. Lemma 5.3 implies that q l|s. □ 

Lemma 5.8. Let p £p 2 p Q- For every s G Act*, if p JJ-p 2 p s and q =^, then p =^. 


Proof. It suffices to define a peer C such that p ihust C, C 

^ / 


>/C and for every s' 

proper prefix of s, C ^C' implies C' These three conditions and p Ij-s ensure 

that p =i>, for otherwise all the maximal computations of p || C would be client-successful, 
thereby contradicting p n/ust C. To prove that p ihust C, it suffices to show that 
q (hustP^P C and C must p. We show the first fact. The hypothesis imply that there exists a 
q' such that q q'. If q' diverges we infer the maximal computation 

CQ\\q^C\\q' ^C\\q^ ^CWq"^ ^ ... 

If q' does not diverge, then there exists a q" such that q' q" and we infer the maximal 

^ r 

computation Cq \\ q C \ \ q" In both cases we have shown non client-successful 
computation of Cq || <?, so we have proven that q ihust Cq. This ensures that q rhustP^P Cq. 
Now we define a suitable C, and prove that C must p. Let n be the length of s, 

s = aia 2 ... On, and let s' be the longest prefix of s such that p =^/. The construction of C 
depends on the existence of s', and so rest of the proof is divided in two parts. 

Suppose s' does not exist. In this case p Let for every 0 < i < n -|- 1, 

(r.l ) -I- Oj+i.Cj+i if 0 < i < n 


c/= 


0 


if i = n -|- 1 
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We prove that q i;hust Cq. The hypothesis imply that there exists a q' such that q q'. 
If q' diverges we infer the maximal computation 

Co II g ^ 0 II g' ^ 0 II ^ 0 II ^ 

If q' does not diverge, then there exists a q" such that q' q" and we infer the maximal 

r 

computation Cq \\ q 0 || q” In both cases we have shown non client-successful 

computation of Cq || so we have proven that q t;dust Cq. This ensures that q rhust^^P Cq. 

Since p it is clear that C must p. 


Suppose s' exists. Let s' = aoai ... am, with m < n. For eve ry 0 < k < m, the assumption 


p ensures that p and so Lemma H and Lemma implies that there 


exists a 


ffc such that ffc must 0(p aftery- Sk), -f-^ and 0A. For every 0 < i < n -|- 1, let 

-I-1)) + Oj-Cj+i if 0 < i < m 

(r.l) + Oj+i-Cj+i 


^ def 


0 


if m < i < n 
ifi = n-|-l, m = n 
Mi = n + 1, m < n 


We prove that Cq must p. Fix a maximal computation 


Co lb 


'-'0 


p 


(^2 


P 


C^ 


p 


= r. 


Either one of the r, + 1 (or f„) appears in the computation, or none does. Suppose 

^ If some b with j < A: is successful the 


+ ^ or Cq = 


for some state Cq 


p' 


computation is client-successful. If no pP is successful, then the part of the computation 
starting at Cq \ \ p^ is client-successful, for fj must p^. If neither an fj -|- 1 nor f„ appear 
in the computation then there must a state Cq \\ p^ with Cq = Cn+i, and Cq G {0,1}, 
because neither not rt + ^ appear. This and the construction of C ensure that p reaches a 
successful state in the computation above, for otherwise Cq = fn ot Cq = fi + ^ for some i. 

□ 

Lemma 5.9. If p £p 2 p q and p {lp 2 p s, then for every B G Acc{q,s) there exists a set A 
such that A G Acc(p, s) and A n uacit(p, s) C B. 

Proof. Let s = 6162 • • • &n- We reason by contradiction. Suppose that there exists a set 
A G Acc(p, s) such that A n uacit(p, s) 2 We use this assumption to define a peer C 
such that p mustP^P C and that q i;hustP^P C, thereby proving that p ^p 2 p q- 

In particular, we build a C such that C =^fC', where C' is similar to the external sum 
we used to prove part (2) of Proposition 4.8 This allows us to prove that q i/iustP^P C. 

Let I be the index set of Acc(p, s), let J be the subset of I which ranges over the ready 
sets of p after successful executions of s, and let al an action in Ai n uai-it(p, s). 

The construction of C depends on the longest s' prefix of s that is performed unsuccess¬ 
fully by p. 
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Suppose s' does not exist. In this case for every 0 < fc < n + 1 we let 

„ d^f I (T.1 ) + bk+i-Ck+i if 0 < A: < n 
^ ifA; = n + l 

All the maximal computations of p || Co are successfnl. This is true because the 

assumption that s' does not exist implies that p —E, and because the hypothesis p JJ-p 2 p s 
ensures that p IJ-s. In turn this let us prove that Co reaches a successful state in the maximal 
computations of p || Co- We have proven that p mustP^P Cq 

To obtain an unsuccessful maximal computation of g 11 Co zip together Co Cn with 
the execution of s that leads q to the state q' with ready set B. The state q' \ \ C' is stable, 
so in the computation Co does not report success. This shows that q i/iustP^P Cq, in turn 
leading to the mentioned contradiction, p ^p 2 p q- 


Suppose s' exists. Let s' = aoai.. .am, with m < n. The construction of C in this case 
is more involved then the previous case. For every 0 < k < m, p =^/ so the hypothesis 
P -ll'p 2 p s implies that there exists a fk such that fk must 0(p after^ Sk)- For every 
0 < A: < n + 1 we let 


Ck 


def 


+ "!)) + bk-Ck+1 

(r.1 ) + bkJ^i-Ck+i 


if 0 < i < m 
if m < A; < n 
if fe = n +1, m = n 
if A; = n +1, m<n 


To prove that p mustP^P Co we show that Co must p and that p must Co- The reason 
why Cq must p is same we used in Lemma [5.8[ The symmetric statement, p must Cq, follows 
from the convergence of p, which is ensures by the hypothesis p JJ-p 2 p s, and the fact that the 
stable states reached by Cq are successful, except Cn- This state, though, can interact with 
the derivative of p at hand, and reduce to a successful state. 

To prove that q i/iustP^P Co we proceed as we did in the case that s' does not exist. □ 


Proposition 5.10. p £p 2 p q implies p 




Proof. It is a consequence of Corollary 5.7 Lemma 5.9 Lemma 5.8 and of a fourth property 
of Ep 2 p that we prove here. 

, then p =^. Fix a pair p £p 2 p q 
/ 

>, then the 

If p then either p =^/ or p =^/. In 


We have to show that p £p 2 p q, P -lj'p 2 p u and q 


that satisfies the first three conditions, p l|u is true because p JJ-p 2 p u. If p 

/ 

argument is the same we used in Theorem 


3.15 


the first case p follows immediately. In the second case, thanks to p there exists the 
greatest m G N such that p =^/. The hypothesis p JJ.p 2 p u ensures that p usbl^ u, so for 
every 0 < i < m there exists a process r* such that r* must 0(p after m). For every n € N 
let 

T.{rk + 1 ) + ak-Ck+i ifi <m 
T.1 + Ofc.Cfc+i otherwise 


^ d^f 


The remaining part of the proof is analogous to the one of Theorem 3.15 and relies on the 
fact that p JJ-u and that + 1 must (p after^ Uk). □ 
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(Sla) fi.x/+ n-y 
(Sib) T.x 

(S2) X/ + T.y 


= y.{T.x/+T.y) 

< T.T.X 

= T.{x/ + y)+T.y 


(53) y.x + T.{y.y + z) = 

(54) T.x + T.y < 

(55) T°^ < 


T.{y.x + y.y + z) 

X 

X 


Figure 5: Standard inequations 


Now the proof of completeness is straightforward. 


Theorem 5.11 (Completeness: peers), p £p 2 p Q implies p ;^p 2 p q. 


Proof. Fix a pair p £p 2 p q- We have to show that p ;^cit q and p ;:^usvr q- The first fact 
follows from Proposition 3.16 and Theorem 3.13 The second fact is Proposition |5. 10 D 


6. Equational characterisation 

We use CCS^ to denote the finite sub-language of CCS; this consists of all finite terms 
constructed from the operators 0, 1, p.- for each p G Actr, together with the special 

operator t°°; its inclusion enables us to consider the algebraic properties of divergent 
processes. Our intention is to use equations, or more generally inequations, to characterise 
the three behavioural preorders p ^ ^ q over this finite algebra, where * ranges over svr, cit 
and p2p. For a given set of inequations E we will use p Eg g to denote that the inequation 
p < q can be derived from E using standard equational reasoning, while t =e u means that 
both t Ee u and u Ee t can be derived. 

There are two immediate obstacles. The first is that none of these preorders are 
pre-congruences for the language CCS^; specifically they are not preserved by the choice 
operator -|-. 

Counterexample 6.1. Using the behavioural characterisation it is easy to check that 
0 £p 2 p b.O; in fact this is trivial because 0 0 Wp2p. However a.1 + 0 ^p 2 p a.1 + b.O because 
a.1 + b.O mustP^P a.1 + 0 while a.1 + b.O t;hustP^P a.1 + b.O; the latter follows because of 
the possible communication on b. 

The same counter-example also shows the other preorders are also not preserved by -|-. 

So in order to discuss equational reasoning we focus on the largest CCS^ pre-congruence 
contained in £ ^ which we denote by by definition this is preserved by all the operators. 
But it is convenient to have an alternative more amenable characterisation. To this end we 
let p q mean that f.1 -|- p £ ^ f.1 + g for some fresh action f. 

Proposition 6.2. In an arbitrary LTS, p^l q if and only if p T+ q. 

Proof. One direction is immediate, namely p q implies p q. To prove the converse 

it is sufficient to prove that each preorder is preserved by the two operators-1- 

and p. — . The details are straightforward, and left to the reader. □ 
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Note that this is similar to the characterisation of observation-congruence in Section 7.2 of 
|Mil89| : the same technique is also used in |NH84j . 

Proposition 6.2 gives a convenient characterisation of the behavioural precongruences 
p E* 9 which we will use in the sequel. One useful property of this characterisation is the 
following: 

Lemma 6.3. Suppose p —Then p ^ . q implies p q. 


Proof. Suppose p —Then for any client r, f.1 -|- p must r implies p must r. This is 
sufficient to prove that p q implies f .1 + p f .1 + q. 

Minor variations on this argument will show that the result also holds for the client and 
peer preorders. □ 

The second obstacle to the equational characterisation of the behavioural preorders is 
that they are very sensitive to the ability of processes to immediately report success, with 
the result that many of the expected equations are not in general valid. For example the 
innocuous 


a.T.x = a.x, (6.1) 

valid in the theories of |Mil891 INH84) , is not in general satished by two of our behavioural 
theories. For example a.1 ^p 2 p a.r.1 because of the peer a.(1 + t°°). 

Accordingly in order to have a more elegant presentation of the inequational theory we 
will use two sorts of variables, the standard x,y,... which may be instantiated with any 
process from CCS^, and x/, ?^,... which may only be instantiated by a process p satisfying 

p 7 ^; in CCS^ such processes p in fact have a simple syntactic characterisation. With 
this convention in mind consider the five standard inequations given in Figure [^which are 
satisfied by all three behavioural orders We also assume the standard equations for 
(CCS^, -|-, 0) being a commutative monoid. Let SVR denote the set of inequations obtained 
by adding 

1 = 0 (SVRl) 

Intuitively 1 has no significance for server behaviour; this extra equation captures this 
intuition and is sufficient to characterise the server preorder: 

Theorem 6.4 (Soundness and completeness for server-testing). In CCS^, p £ 5 ^,. q if and 
only p Tsvr q- 


Outline. The equation (SVRl) means that every term can be reduced to one which does not 
contain any occurrence of the unit 1. This means that all terms can now match the special 
variables x/,]^,... and therefore the equations (SI) - (S5) can be rewritten with them 
replaced with the standard variables x,y,.... The resulting inequational theory coincides 
with that from |NH84| which characterises the must testing preorder over finite terms0this 
we know coincides with our server preorder £ 5 ^^- ^ 

^This is referred to as G 2 in |NH84| . 
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All the standard inequations in Figure are also valid for the client and peer pre¬ 
congruences. Indeed the reason for introducing the two sorts of variables was to ensure that 
they remain valid for these new pre-congruences. 

Example 6.5 (The need for two sorted inequations). We have already seen why (Sla) 
would no longer hold, for the client and peer pre-congruences, if the meta-variable were 
replaced by the standard variable x. The innocuous equation (6.1]) above would be a derived 
equation from this altered version o/(Sla), because of the idempotency of 

Let ri, r 2 denote the clients 1 -\- T.a.1 and t.{1 + a. 1) + T.a.1 respectively. Then 
( 1 r°°) must ri whereas {1 + t°°) i;hust r 2 , and thus ri r 2 . This shows the need for 

the meta-variable x/ in (S2), for otherwise ri = r 2 would be an instantiation. 

The same example can be used to show that this restriction is also necessary for the peer 
pre-congruence. 

Despite the use of two sorts of variables, much of the standard equational reasoning, for 
example from [NH84] remains valid. Here is a typical example, where we use ST to denote 
the inequational theory generated by the standard inequations. 

Lemma 6.6. In the equational theory ST, t.x + r.y =st t.{t.x -\- r.y) is a derived equation. 

Proof. Using (Sib) and (S4), together with the idempotency of -|-, we have the derived 
equation t.t.x = t.x. Then applying this twice we obtain: 

t.x -t- T.y =ST t.t.x -I- T.y =st t.{t.t.x -|- T.y) (Sla) 

=ST t.{t.x -h T.y) 

Note that this derived equation is closely related to the standard equation (Sla). It is 
a restriction in that the y is only allowed to be r, but is a generalisation in that neither of 
the meta-variables x, y need satisfy the predicate /. □ 

The equation (SVRl) is obviously not satisfied by either the client or the peer pre¬ 
congruence. In order to characterise them we need to replace it with inequations which 
capture the significance of the operators 1 and 0 for client and peers respectively. First we 
consider the client case. It is easy to see that 1 is a maximal element for the preorder 
and also for the contextual preorder p must f.1 -|- 1 for every server p, from which 
r 1 follows for every client r. We also have that r -|- 1 ^cit 1 for every client r; intuitively 
once a client can report success immediately then it does not matter what other behaviour 
it has. This client behaviour of 1 is adequately captured by the two inequations (CLTla) 
and (CLTlb) in Figure]^ More specifically the equation 

x + ^ = ^ ( 6 . 2 ) 

is easily derivable from this pair of inequations. 

Another property of 1 stems from the fact that for every client r, 

T £clt r + |x.^ 

for every y G Act,-; adding the capability y.^ to a client does not decrease its ability to 
satisfy servers. This property is captured by the inequation (CLTlc). In a dual manner, 
adding the capability y.O to a client does not increase its ability to satisfy; for every client r 

r + y.O r 


This is captured by (Zb). 
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(Za) 

r.O 

< 


(Zb) 

p.O 

< 

(CLTla) 

X 

< 

1 

(P2P1) 

0 

< 

(CLTlb) 

1 

< 

X -\- 1 

(P2P2) 

p.{1 -\-x) 

< 

(CLTlc) 

0 

< 

p.1 

(P2P3) 

/i.(1 -Ix) + p.ll -Py) 

< 




Figure 6: Client and peer inequations 



Let us now look in more detail at the zero 0. Since p must 0 for no server p it follows 
that 0 r for every client r. But 0 r does not in general hold. For example 
f.O + 6.0 must f.1 + 0 but f.O + 6.0 i;hust f.1 + 6.0. In the latter, the synchronisation on b 
leads to the possibility of the client not being satisfied. It follows that 0 6.0. 

However p must f.1 + r.O for no server p, with the result that r.O r for every 
client r; it follows that r.O is a minimal element in the client theory. Recall that t°° is also 
a minimal element, and therefore to capture this property of 0 it is sufficient to add the 
inequation (Za). 

Note that an application of (Sla), together with the idempotency of +, gives the derived 
equation p.x/ = p.T.x/; this combined with (Za), (S5) gives the useful derived inequation 

/i.O < p.x 

in the client theory. In Figure]^ this is refered to as (DZl) and will be used extensively in 
the sequel; intuitively this means that 0 acts like a minimal element underneath a prefix. 

Let CLT denote the set of inequations obtained by adding to the standard one, the 
client inequations we have just discussed, (Za), (Zb) and (CLTla) - (CLTlc). 


Theorem 6.7 (Soundness and Completeness for client-testing). In CCS^, p q if and 
only p Eclt q- 


Proof. To prove soundness, again it is sufficient to show that satisfies of the inequations 
concerned. Completeness requires the development of normal forms for clients. This is the 
topic of Section 7^, and the result is actually proved in Theorem 7.12 □ 

Both the inequations (Za) and (Zb) remain valid for the peer preorder, but none of the 
unit inequations (CLTla) - (CLTlc) are. 


Counterexample 6.8. First consider (CLTla). It is easy to see that d. 1 must f.1 + a. 1 
as both peers always evolve to success states. However a. 1 n/ustP^^ f. 7 -|- 1, because the 
peer 1 can not help the partner a. 1 achieve success. It follows that a.1 

Moving to (CLTlb), 1 n/ust^^P T.O + 1 because the activation of the internal action 
can preempt one of the peers achieving success. However trivially 1 must 1, with the result 
that 1 ^p 2 p 'T-O + 1; this is a counterexample to (CLTlb) for the peer pre-congruence. 

For the final counter-example note that d.O +f.1 must f.1 + 0 because the co-action 
a is never activated. However d.O -\-f.1 n/ust’’^'’ f. 7 -|- a. 7 because the co-action d here 
is activated, and the activation prevents one of the peers from achieving success. Thus 
(CLTlc) does not hold for the pre-congruence external p; a minor variation 

demonstrates that it also does not hold when p is t. 
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The unit inequations (CLTla) - (CLTlc) need to be replaced by unit inequations 
appropriate to peers. There are various possibilities we could add; we justify our particular 
choice by considering properties we would like of the inequational theory; in total we add 
three new inequations. 

In both the server and the client theory we know that for every action ^ and processes 
p, q there is another process r satisfying 

fi.p + pL.q = p.r (6.3) 


Indeed this is one of the most important laws which delineates behavioural theories based 
on testing, rather than say bisimulation equivalence [Mil89j . It is derivable in the theory of 
servers, where r can be taken to be r.p + r.q. It is also derivable in the theory of clients, 
although the form r takes depends on whether both p, q can immediately report success. 
If at least one of p, q can not report success immediately this is an instance of (Sla) in 
Figure]^ If this is not the case then (Sla) can not be employed. But it turns out we can 
still find an r which satisfies (6.3) in the algebraic theory of clients, namely 1. 

We also require (6.3) to be derivable in the algebraic theory of peers. Again if either p 
or q can not immediately report success then this will be an instance of (Sla). One can 
also check that 


p.(1 +p) + p.(1 +^) ^+2p M-(1 +T.p + T.p) 

for all p, q. In order to make these derivable in the algebraic theory it is sufficient to add 
the inequation (P2P3), given in Figure]^ From (P2P3) and (S4) one then obtains the 
derived equation 


p.(1 + x) + p.{^ +y) = + T.x + T.y) (6.4) 

Another intrinsic property of extensional behavioural theories is the ability to abstract from 
internal activity. One equation capturing this has already been discussed in (6.1) above. 
This is valid in the server theory, and enables us to forget about the intermediate internal 
action r. We have also seen that it does not hold in the client theory; nor does it hold in 
the peer theory. However we are still able to abstract from intermediate internal actions in 
certain circumstances. For example 


p.r.x/ = p.x/ 

is easily derivable from (Sla). Other circumstances, the presence of 1 , are summed up by 


/i.(1 + T.x) ~+2p /^•('' + 


(6.5) 


This is immediately derivable in the peer theory from (6.4) above. 

Our other two additions are motivated by the requirement for both peers to always 
report success. So adding to a process the ability to report success can only improve its 
behaviour as a peer. This is summed up by the inequation 


P 



for every peer p. This is captured as a derived equation if we add the inequation (P2P1) in 
Figure [7] to the theory. 

Success does not have to be reported simultaneously by interacting pairs of peers; in 
particular the ability of a peer is not damaged by bringing forward the reporting of success. 
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(Dl) 

Yll<i<n 

_ 


(D2) 

X/ +r.(x/ + y) 

= 

n-{x/ + y) 

(D3) 

p.x + T°° 

= 


(D4a) 

T.X/ + T.y 

= 

T.X/ + T.y + r.(x/ + y) 

(D5a) 

T.X + T.{x + + z) 

— 

T.X -1- r.(x + y/) + r.(x + y/ + z) 

(DZl) 

p.O 

< 

pL.X 

(DPI) 

1 -|- p.x 

= 

1 //.(x + 1) 

(DP2) 

^•(1 + 

= 

+ Xi) 

(DP3) 

p.x 

< 

/x.(1 -1- r.x) 

(D4b) 

r.(x/ + 1) + T.{yy + 1) 

= 

r.(x/ + 1) + T.{yr + 1) + r.(x/ +2^ + 1) 

(D5b) 

T.X + T.{x + {y/ + ^) + z) 


r.x -I- r.(x + {yr + ^)) + t.(x + {y^ + ^) + z) 


Figure 7: Some derived equations 


This motivates the use of (P2P2) in Figure]^ An interesting consequence is the derived 
equation: 

1 + li.x = ^ + ^.{x + ^) 

which is refered to as (DPI) in Figure]^ 

Our inequational theory for peers is taken to consist of the standard inequations from 
Figure]^ together with (Za), (Za) and (P2P1) - (P2P3). 

Theorem 6.9 (Soundness and Completeness for peer-testing). In CCS^, p £p 2 p Q if and 
only p !Tp 2 P q. 


Proof. Again to prove soundness it is sufficient to show tha t all o f the inequations are valid 
for the preorder £^2p- Completeness is proved in Theorem 


7.16 


□ 


7. Completeness proofs 

In this section we use a number of derived (in)equations, gathered in Figure]^ The hrst 
collection, (Dl) - (D5), are derivable from the standard equations, while the second follow 
from the peer equations; see Appendix [A| Note however that the three peer inequations 
(P2P1) - (P2P3) are easily derivable in the client theory, using ( |6.2[ ) above. So the second 
collection is also available for reasoning about clients. 


7.1. Normal forms. It will be notationally convenient to consider 1 as a prefix term, 
say /.O, thus including / as a possible prefix action. We also use p/ to denote that p can 
perform the success action, p —>, and p/ for the converse. 

The normal forms we use are an extension of those in [NH84] ; considerable complications 
arise because of the presence of the unit operator 1. The central idea is that of saturated 
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collections of sets. Let .4, be a collection of finite subsets of Act/. It is said to be satnrated 
if whenever X, Y £ A, 

(i) XUY £ A 

(ii) Z £ A whenever X <£ Z <Z Y 


Lemma 7.1. For every collection A of finite subsets o/Act/ there exists a least collection 
cl (.4,) containing A which is saturated. 

Proof. Straightforward. The existence of cl(.4) can be shown from general principles, but 
we can also give a constructive definition. Let 

B ={Z I X C Z <£ U^, for some X £ A} 

By definition A Q B and one can check that B is saturated, that is it satisfies (i), (ii) above. 

Now let C be any other saturated set containing B. Since it is closed under set theoretic 
union it must contain the set U^. Therefore, since it satisfies (ii) above it must also contain 
all sets in B] that is B <£ C. So we can set cl (.4) to be B. □ 


Definition 7.2 (Peer-normal forms, pnfs). 

(1) { -I- 1 } is a pnf. 

(2) n = (X^asA { + 1 }, for 4 C Act, is a pnf, provided n / implies Ua / 

(3) Let 4 be a non-empty saturated set of non-empty hnite subsets of Act/. Suppose that 

for each A G UA, n\ is a pnf. Then { -|- 1 } is a pnf, where ua denotes the 

term XIasA provided n / implies Ua /. 


Here we use the notation p { -|- 1 } to indicate that the presence of -|-1 is optional. Thus by 
(1), both and r°° -|- 1 are pnfs; by (2) 0 is a pnf, as are a.O + 1 and a.Oj^ 

Before showing that all finite terms can be transformed into normal forms we need to 
develop some syntactic machinery for manipulating terms. We continue to use the notation 

using UA, where A C Act/, to denote the term X^asA^Aj for 


introduced in Definition 7.2 


some (assumed) collection of terms Ua, and ua for the term 
Proposition 7.3 (Saturation). Let B = cl(4). Then ua =P 2 P nis- 


Proof. This relies on two auxiliary results. Suppose A, B, C Y Act/, where A C. C F B. 
Then 


t.ua + t.ub =P 2 P T-nA + t.ub + t.haub (Union) 

T.UA + t.hb =p 2 P t.ha + T.nc + t.hb (Sub) 

By systematically employing both equalities, from left to right, we can transform ua into ng. 
So we concentrate on proving these properties. 

First we consider (Union). Suppose / 0 4. Then the equality follows from an 
application of the derived equation (D4a) in Figure]^ This can also be applied if / ^ B. 
Finally if / £ An B then we can use (D4b). 

The proof of (Sub) above is similar, depending on whether / G C. If it is then (D5b) 
is employed in the derivation; if not (D5a) is required. □ 

^unfortunately so is 0 -I- 1; this will be treated as 1. 
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The next property has already been alluded to in (6.3). 


Proposition 7.4 (Uniqueness of derivatives). For all p, q G CCS^ and all actions p G Act,-, 
there exists some term r such that p.p + p.q =P2P P-r. 


Proof. If p/, or q/ then we can apply (Sla) directly, obtaining r = r.p + r.q. Otherwise 
we have both p/ and q^ and the required r is 1 + r.p + r.q. In one direction this is 
an application of (P2P3). The reverse follows from two applications of t.x < x, which is 
derivable from (S4). O 

We now show how to transform all terms into pnfs. The main work is done in the 
following two lemmas. 


Lemma 7.5. Ifni, n 2 are pnfs then there exists a pnf m such that r.ni + r.n 2 =P 2 P m. 


Proof. By induction on the combined size of ni, n 2 and an analysis of their structure. There 
are many cases to consider. We omit the cases when either take the form { + 1 } as the 
result follows from the derived rule (D3). 

(a) Suppose ni = t-ha and n 2 = application of the derived rule 

(Dl) from Figure!^ gives 

r.ni + r.n 2 =P2P ^ t.ua + ^ T.ms 
AeA seB 

Now suppose there exists some external action c € A Ci B, where A € A and B £ B 
such that Uc A We isolate the subterm t.ua + r.mp so as to unify the c-derivatives. 
This subterm has the form T.{p + c.Uc) + T.(q + c.mc) which can be rewritten to 

=P2P C.Uc + T.{p + c.ric) + C.mc + T.{q + c.mc) by (D2) 

=P2P T.{p + C.Uc + C.mc) + n.{q + c.Uc + c.mc) by (S3) 

Now suppose at least one of Uc, me satisfies /. Then we can use (Sla) to proceed thus: 
=P 2 P T.(p + c.lj.Uc + T.mc) + T.{q + c.{T.nc + T.mc) 

By induction there exists a normal form Oc =P2P t.Uc + T.mc and so we may transform 
the subterm to 


= P2P T.{p + C.Oc) + T.{q + C.Oc) 

On the other hand if both Uc / and me A, we can imitate the above sequence of steps, 
this time using (P2P3), or rather its derived version (6.4) above, to obtain 


=P2P 


r.(1 +P + C.(1 + Oc)) + T.(1 +P + C.(1 + Oc)) 


By systematically applying the derivative unification transformation we can now 
assume that r.ni + T.n 2 has the form Ylcec where each Sc is a pnf. Moreover by 
Proposition 7.3 this can be transformed into where V is saturated; this is 


the required pn \ 

(b) Suppose ni = 1 + ^2 = 

Applying the derived equation (DP2) we rewrite r.m to the form 


r.(1 + ua) 

A&A 


which by (Dl) can be transformed into r. X]AeA'^’('' proceed as in 

the previous case. The same holds if m has 1 as a summand. 
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(c) Suppose ni = ^2 is as in the previous case. Then by (Dl) 

r.ni =P2P T.(r.( ^ { + 1 }) 

Ae{A} 

and we proceed as in case (a). 

Finally if n 2 contains 1 as a summand we proceed in much the same way, but using 
case (b). 

□ 


Lemma 7.6. Ifni, n 2 are pnfs then there exists a pnf m such that ni + n 2 =P 2 P nx. 


Proof. Again the proof proceeds by induction on the combined sizes of ni, n 2 and a case 
analysis of their form. 

(a) Suppose ni = ^2 = 'T-'RIr; this is the central case. 

We know that B is not empty. So using (D1),(S2) we have ni + n 2 =P 2 P T.{ni + 
rriBi) + T.n 2 , for some B1 G B. By induction m + has a pnf. The required result 
now follows from the previous lemma. 

(b) Suppose rei = 1 + n\, where n'^ = J2a&A ”2 is as in the previous case. Then 

we can construct, as in case (a), a pnf for n'^ + n 2 , which takes the form YId&v 
Then the required pnf is 

1 + ^2 '^■0 + X / 

Dev deD 


This requires the repeated application of the derived rule (DPI). 

The case where 77-2 has 1 as an additional summand is handled in a similar manner. 

(c) Suppose rei = ^2 = Using (Dl) we obtain ni + n 2 = 

T.ni + T.n 2 and the result now follows by the previous lemma. 

If either ni or n 2 , or both, have 1 as an additional summand we can proceed in 
the same manner. We may then have to apply (DPI) to ensure that the resulting 
pnf 1 + i® such that Od / for every d G UP. 

(d) Suppose rei = Yla&A^-^'a { + 1 } and re 2 = Ylb&B^-'^b { + '!}• Then using Proposi¬ 
tion 7.4 and induction we can construct a pnf of the form Yld&AuB ^-^d { + '!}• 

(e) The hnal possibility, when either rei or re 2 is t°° is straightforward, using the derived 


equation (D3). 


□ 


Theorem 7.7 (Peer normal forms). For every p G CCS^ there exists a pnf re such that 
P =P2P n. 


Proof. By structural induction on p. The main case is covered by Lemma 7.6 


□ 


One consequence of the completeness theorem will be that p Ep 2 p 0, whenever p 0 Pp2p, 
because for such p we know p ® However it is useful to already have this result when 
proving completeness. A direct proof of this fact is not obvious. For example consider 
p = a. (6.0 -|- C.1) -|- a. (6.1 -|- c.O) which we know not to be in 6/p2p. The derivation of 


^ In general 0 £p 2 p P is not true, even if p ^ Wp2p. 
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P Ep 2 P 0 is not straightforward. But it becomes so if we first convert p to a pnf. This turns 
out to be 

Hp = a. UA where A = {{b}, {c}, {b,c}} and Ub = ric = tA + r.O 
AeA 

Now (S4) gives Ub = ric Ep 2 P 0 and Up Q 0 then follows by applications of the rule (Zb). 
This technique is quite general, and powerful, and is the basis of the proof of the following 
lemma. 


Lemma 7.8. Suppose p ^Up2p. Then 

(1) P Ep 2 p 1 i'mplies p !Tp 2 P q 

(2) p Ep2p 0. 


Proof. Part (2) is an immediate consequence of part (1) and the observation that p 0 ^p2p 
implies p £p 2 p 0. So we concentrate on the part (1), and we may assume that p is a pnf. 
We now proceed by induction on its size and a case analysis of its form. However we know 
that p/ because otherwise we would have 1 must p; this eliminates many of possible forms. 
Also if p is T°° then the result is immediate, since is a least element. So in effect we are 
left with two possibilities. 

(a) Suppose p has the form some A C Act. 

If Ua G ^p2p for some a G A then it would follow that p G ^p2p for p must a.Qa for 
any qa satisfying Ua must qa- So by induction we have Ua Ep 2 P 0 for every a G A. 

Because p £^ 2 p ^ know that q has essentially only one possible form, namely 

mp { + 1 } for some B C Act. Moreover since f.1 + p must f.1 + c.O for any c G Act\A 
we have that B T A. We can now reason as follows: 


aSA 


Ep 2P a-0 

aSA 

Ep 2P yy b.Q 

b&B 

Ep2P b.mh 

b&B 


Induction 

(Zb) 

(DZl) 


Finally suppose q has the summand 1. If A is empty we can use (P2P1). Otherwise 
the extra summand 1 can be added by an initial application of the derived equation 

(DP3). 

(b) Suppose p has the form YIa&a '^•^a for some saturated set A. 

Now suppose the empty set is in A, that is r.O is a summand. Then using (S4) we 
obtain p !Tp 2 P r.O and the required result now follows since r.O is a least element. 

So we can assume 0 0 A. As a preliminary argument suppose that for all A G A, 
either 1 G A or there exists some a/i G A such that G ^p2p. Then let p' denote the 
peer 

1 + y^ a.p',^ 

AeA,l^A 

where is chosen so that must Then one can check that p' must p, 

contradicting the fact that p 0 ^p2p. 
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So we can assume that there is some Aq G A such that ^ ^ Aq and Ua ^ Up2p for 
every a G Aq. By induction Ua Ep 2 P 0 and by (Zb), a.Ua Ep 2 P 0 for every a G Aq. 
As a result n^o Ep 2 P 0. Now an application of (S4) allows us to conclude p Ep 2 P t.O, 
from which again the required result follows. D 

Client normal forms are simplifications of their peer counterparts. We have already 
remarked that the three extra peer inequations (P2P1) - (P2P3) are derivable in the client 
theory, and so we will obtain the client normal forms by using client inequations to simplify 
peer normal forms. 


Definition 7.9 (Client normal forms, cnfs). 

(1) Both r°°, 1 and r.1 are cnfs. 

(2) For any A C Act the sum YlaeA is a cnf, provided each Ua is a cnf. 

(3) Let .4, be a non-empty saturated set of non-empty subsets of Act. Suppose that for each 

a G U.A, Ua is a cnf. Then n = { + '^•1 } is a cnf. 

Theorem 7.10 (Client normal forms). For every p G CCS-^ there exists a cnf n such that 
P =CLT n. 


Proof. First recall that the usability sets Uc\t and f//p2p are identical. Using Theorem 7.7, we 
can assume that p can be transformed into a pnf m, that is p =clt Then by induction, 
and a systematic application of the derived unit equation x + ^ =1, discussed in (6.2) 
above, m can then be transformed into a cnf. For example if m has the form 1 -|- m' then 
the resulting cnf is 1. Suppose it has the form (XIasA^ here Al is a saturated set of 
non-empty subsets of Act,-. Let 13 = { A G A \ 1 ^ A}; 13 is still saturated. If it is empty 
the required cnf is r.1. Otherwise it is 


T.m^ { -I- T. 1 if 1 G UAl} 


where for each b G L)B, m'^ is the cnf obtained from by induction. Here again the derived 
equation x -|- 1 =1 is used to transform r.m^ into r.1 for any A containing /. □ 


7.2. Completeness for clients. We first tackle the more straightforward case, the client 
preorder. For convenience we isolate a particularly significant case in the following lemma. 

Lemma 7.11 (Stable state). Suppose n = (XIasA'^-”^) both cnfs 

such that n niB, and n G lAc\\.. Let N = {a G UAl | Ua G Uc\t} and Bq = {b G B \ 
mb is different from 1}. Then 

(1) there exists some A G A such that Bq C A and A D N <G B 

(2) T.Ub mb, for every 6 G H O (UAl). 

(3) nb / implies mb / for every b G B Ci {UA ). 

Proof. (1) Since n G Udt we know that there exists some server pn such that pn must n. 
Now suppose there is some b G Bq\{L)A). Then pn + b.T°° must re, from which it 
follows Pn + b.T°° must rre. But mb is a cnf which is different from 1. By examining 
the other possibilities for mb we see that must mb is not possible, which contradicts 
Pn + b.T°° must rre. So we can conclude that Bq C UAl. 

Now suppose, for another contradiction, that for every A G A there exists some 
OA G {A n N)\B. Let p denote the server Y^A&A^^-Pa, where the servers pa are 
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chosen so that pa must Ua- Then because A is not empty p must n. This would imply 
p must niB, which is clearly not possible. What this means is that there is some Ai ^ A 
such that (^41 n N) C B. Let A = AiU Bq. Then since Bq C and A is saturated we 
know A ^ A, and by construction it has the required properties. 

(2) Suppose p must r.rib, where b G B;we have to show that p must mi, follows. Let pn be the 
server used in part (1); it satisfies pn must n. Then one can show that pn + b.p must n, 
from which pn + b.p must m follows. But this is only possible if p must m^. 

(3) Let 6 G be such that nft/. Then pn+b.T°° must n from which 6.must 

follows. But this will only be possible if /. □ 

Theorem 7.12 (Completeness: clients). In CCS^, p q implies p Eclt Q- 


Proof. Let n, m be the cnfs for p, q respectively; we know that n rn. The proof proceeds 
by induction on the combined size of n, m, and an exhaustive analysis of their possible 

we can assume 


Note that because of Lemma 7.8 


structure, dictated by Definition 7^ 
n G licit. 

(a) If n is the result is obvious, since is a least element in the client equational 
theory. If it is 1, the argument is also straightforward. We have 1 + must m, since 
this server is guaranteed by n = 1. But this is only possible if m /; looking at the 
possible forms of cnfs in Definition 7.9 we see that m also has to be 1. 

A similar argument, using the server 0, gives the result when n is r.O. 

(b) Now suppose n has the form ua. Let us first look at the possible forms for the cnf m. 
Because f.1 + ua £,-11 f-"! + ^ where f is fresh, m can not perform a r action. So the 
only remaining possibility is that m = ms for some set of actions B. 

Now suppose that there exists some b G B\A. Then since f.O + b.T°° must f.1 + ua 
we must have that must mi,, for this is the only way to ensure that f.O + b.T°° must 
f.1 + mB- But mb is a cnf and so it must be precisely 1. 

If A is the empty set then the result now is immediate, since then n = 0, and we can 
apply (CLTlc) repeatedly to obtain 0 Tclx m-s. 

At this stage we can use information available from Lemma 7.11 because 

T.nA Eclt nA mB 

Ae{A} 

Part (1) gives that Bq C. A, and N C B where Bq and N are as dehned in the statement 
of the lemma. So from part (2) we have that r.Ua ma for every a G An B. From 
Lemma 6.3 this gives r.Ua ma', now using induction, which recall is on the combined 
size of the terms, we can assume r.Ua Eclt 'ma, and therefore a.r.Ua Eclt a.ma. 
If Ua/ an application of the standard equation (Sla), and the idempotence of + we 


E 


obtain a.Ua Eclt a.ma. On the other hand if Ua / then from part (3) of Lemma 7.11 
we also have ma /. But both are cnfs and therefore both must coincide with 1. So for 
every a G An B we have established a.Ha Eclt a.ma. 
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The argument is now completed as follows: 
UA 


= 

a.Ba 

+ 

y2 




a(^N 


2&A\N 



Eclt 

a.ma 

+ 

y2 B.na 

as argued above 


a(^N 


a^A\N 



Eclt 

yy a.ma 

+ 

y2 a.ua + y2 

a.Ba 



a(^N 


ae(A\N)nB a£{A\N)\B) 



Eclt 

a.ma 

+ 

y2 0,-na 

Lemma 7.8, (Zb) 


a&N 


a&[A\N)r\B 



Eclt 

y^ a.ma 

+ 

y~l a.ma 

Lemma 

7.8, (DZl) 


a&N 


a&[A\N)r\B 



Eclt 

'yi a.ma 

+ 

yya.rua + yy b.^ 


(CLTlc) 


a&N 


a&w b&B\A 




= ^ b.nib 

b&B 

The last line follows because 

• B can be decomposed into the three disjoint sets N, (^\A^) n B and B\A 

• if 6 G B\A then mb is 1; this follows because Bq C A. 

(c) There is one remaining case for the structure of n, namely { + tA }. Here 

again we have to look at the possible structure of m. There are only two interesting 
cases. 

The first is when m has the form ms for some set B C Act. This case fits the 
statement of Lemma 7.11 precisely. There must be some A £ A such that Bq A and 
An N n B, where again Bo and N are as defined in the lemma. 

Now using the fact that 

A = (AnN) U (A\N)nB U {A\N)\B 

we can proceed as in case (b) to show 

nA Eclt ^ a-rria + E a.ma (7.1) 

aeAnN a&{A\N)nB 

The set B can also be decomposed as 

B = {AnN) A {A\N)nB U Bn{N\A) 

Moreover since Bq <Z A for every b £ B n {N\A) the residual mb must be 1. Therefore 
using applications of (CLTlc) to ( |7.1[ ) we can obtain ua Eclt bb- The required result, 
n Eclt bib now follows by (S4). 

The other interesting case is when m has either the form or the form 

t-bib) + t.1 . Here m bib for every B £ B, from which n bib follows. 
Again we can proceed as in (b) to show n Eclt bib- 

To complete we use the fact that n =clt YIb&b This follows from the derived 
law (Dl) and the idempotency of +. 

□ 
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7.3. Completeness for peers. The completeness result for peers follows the same structure 
as that for clients. But it is complicated by the more intricate form of pnfs; in particular 


pnfs of the form 1 + n, where n is non-trivial. We need a generalisation of Lemma 7.11 for 
peers, which in turn requires a preliminary result. 


Lemma 7.13. 
q must p. 


Suppose p £ Up2p and p/. Then there exists some q such that q/ and 


Proof. We may assume that p is a pnf. If it has the form there must exist some 

a G A such that Ua £ Up2p. From this we get some qa satisfying qa must Ua, and the 
required q is a.qa- 

Otherwise p must have the form From the analysis carried out in the proof 

of Lemma 7.8 we know that for every A £ A either 1 G ^4 or there exists some ua £ A such 
that Ua £ Up2p. The required q is then r.1 + YIa&A A^A^-daAi where the peer qa^ is chosen 
so that Ua must qa^- 

□ 


Lemma 7.14 (Stable state). Suppose n = where B C Act/, 

are both pnfs such that n £p 2 p mB and n £ Uc\t. Let N = {a £ UA \ Ua £ lAp2p^ and 
Bq = B\ /. Then 

(1) there exists some A £ A such that Bq C A and An N <£ Bq 

(2) T.ni, Ep 2 p 'aa-b, for all b £ B n U.4 

(3) nb / implies mb /, for all b £ B n UA. 


Proof. Let pn be any peer satisfying pn must n. We know at least one exists and because of 

the previous lemma we may assume that Pn/ ■ 

(1) This is similar to the proof of part (1) of Lemma 7.11 although here we are dealing 
with peers rather than clients. Suppose there is some b £ B such that b 0 U/1. Then 
Pn + b.O must n. This contradicts the fact that n £p 2 p rns since ms can not guarantee 
the success of the peer pn + b.O. So we have established Bq C U/1. 

We can continue as in part (1) of Lemma 7.11 to show that there exists some Aj £ A 
such that j4i n T Bq. The required A can now be taken to be Ai L) Bq. 

(2) Suppose p must r.nfe. This means that pn + b.p must n, from which pn + b.p must ms 
follows. By construction Pn/ and so if / ^ B this implies that p must mb. On the 
other hand if / G B we can only deduce that mb must p. But by the construction of 
pnfs, if / G B then we also know that mb /. The required p must mb now follows. 

(3) For an arbitrary b £ B n UA suppose nb /. Then + 6.(1 + t°°) must n, and so this 

must also be true of m^. But, since Pn/, this is only possible if mb /. □ 


Before embarking on the main proof of completeness it is convenient to isolate one particular 
case. 


Lemma 7.15. n £p 2 p 1 implies n Ep 2 P b 

Proof. We may assume that n is a pnf, and we use a case analysis on its structure. When it 
has the form t°° { + 1 } the result is obvious. 

(1) So consider the case when it has the form { + "^ } some A C Act. Now 

suppose there is some a £ A such that Ua £ L(p2p] so there is a peer pa such that 
Pa must Ua. This means that a.pa must n. But this would imply that a.pa must 1 , which 
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is impossible since 1 n/ust a.pa- So what we have shown is that Ua 0 Z^p2p for every a 

rin 


in Act and therefore ^ 


asA ' 


0 Z//p2p. The result now follows from Lemma 7.8 


(2) The only other possibility is that it has the form XIasA ''"•^a { + '!}• For a contradiction 


suppose that for aW A £ A there exists some G A such that pA must Ua^- This 
means that n must p, where p is the peer YlAeA^-P<^- contradicts the fact 

that n £p 2 p 1 since 1 n/ust p; the peer 1 cannot induce p into a successful state. 

So we have established that there is some A ^ A such that Ha 0 ^p2p for every a € A. 


Using Lemma 7.8 and (DZl) we can derive ha !Tp 2 p 0 { + 1 }, from which the result 
follows, since n Ep 2 P t.ua- □ 

Theorem 7.16 (Completeness: peers). In CCS^, p ^ implies p Up 2 P Q- 


Proof. The proof follows the same structure as that of Theorem 7.12, but there are more 


details to be considered. Here let n, m be the pnfs for p, q respectively; the proof proceeds 
by induction on the combined size of n, m, and an analysis of their possible structure, as 


given in Definition 7.2 Because of Lemma 7.8 we may also assume that n G Z7p2p. We also 
leave the uninteresting case when it has the form t°° { + 1 } to the reader. 

(a) n = (X^asA'^-”^) { + m = ms for some B C Act/. This is precisely the case 

to which Lemma [7. 14 applies. Let A G A, N and Bq be as given in the statement of the 
lemma; because of Lemma 7.15 we can assume that Bo is not empty. Let Ao be A\{ / }. 
Our aim is to show 

^Ao Ep 2P "iRo (7.2) 

from which the required result will follow. This is a consequence of the following: 

• if 1 is a summand of n then it must also be a summand of to see this consider 
the peer 1 + . 


* rnBo !Tp 2 P niB', for if / G H then by condition (2)(ii) of Definition 7.2 mi, must be 
of the form 1 + for every b G Bq, and because Bq is not empty we can apply an 
instance of (P2P2) to one summand b.mj, of to obtain niBo UP 2 P w-s- 
So let us concentrate on establishing (7.21. This relies on the following set decompositions: 


Ao = (AonN) U iAo\N)nBo U {Ao\N)\Bo 

Bo = (AonN) U (Ao\A^)nHo 

The argument now proceeds in much the same way as in the corresponding case, (b), of 
Theorem 17.121 

UAo = a.Ua + a.Ha + 


= 

E 

a.Ha 

+ 

E < 


ae(AoniV) 


ae(Ao\Ar)nSo 

!Ep2p 

E 

a-rua 

+ 

E 


ae(Aon!V) 



ae(Ao\iV)nBo 

!Ep2p 

E 

a.ma 

+ 

E 


ae(AoniV) 



ae{Ao\N)nBo 

!Ep2p 

E 

a-rria 

+ 

E 


ae(Aon!V) 



ae(Ao\iV)nBo 


mBo 





a.Ha + 


a.Ua 


a.nia 


E 

a&Ao\N\Bo 

E 

aeAo\N\Bo 


a.n„ 


a.n„ 


(*) 


Lemma 7.8, (Zb) 


Lemma 7.8, (DZl 


The step (*) uses induction. From part (2) of Lemma 


''<1 ~p2p 

every a G Aq H A^. Lemma 6.3 and induction give T.Ua !=P 2 p ma- There are now two 


7.14 


we know r.Un rua for 
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cases. If Ha/ then an application of (Sla) gives a.Ua Ep 2 P a-ma- However if / this 
equation can not be used. However we can achieve the same conclusion as follows: 

Cp2P a.(1+r.na) (DP3) 

Hp 2 P a-('l + rua) Induction 

= a.ma 


a.n„ 


The last line follows from part (3) of Lemma 7.14 


(b) Suppose n is as in the previous case but that m is { + "'}■ Here we 

proceed as in case (c) of Theorem |7.12 Regardless of the presence or absence of the 
optional units, one can show that n £p 2 p for every B € B. Therefore by part (a) we 
have n Ep 2 P 

Now suppose n/ , that is n does not contain 1 as a summand. Then using the derived 
(Dl) we have 

T .n !Tp 2 P T T.niB (7.3) 


n = T.n = 


E 




If m also does not contain the summand 1 we are hnished. But if it does, we know that 
B is non-empty and that each B £ B contains /. Pick one such Bq, and applying (P2P) 


we obtain T.msQ Ep 2 P + 1- Using this in (7.3) above we obtain the required 

n Ep2P + 1 • 

Finally if both n and m have 1 as a summand a simple variation on the argument 


(7.3) above suffices. 


(c) Now suppose that n has the form ha for some A C Act/. Reasoning as in the 


corresponding case of Theorem 7.12 we see that the only possible form for m is tub for 
some B C Act/. Now we use the fact that A| b-ua £^ 2 p £p 2 p bab to apply 

Lemma 7.14 This gives that Bq C H, AdN C Rq) where Bq, N are as described in that 


lemma. Now we can repeat the argument used in case (b) to show that uaq Ep 2 P ibbq 
where again Aq denotes H\{ / }. Again a simple case analysis on whether / is in either 
of A, B, as used also in case (b), will allow us to conclude that ua Ep 2 P bt,b- 

□ 


8. Conclusions 


Much of the recent work on behavioural preorders for processes has been carried out using 
formalisms for contracts for web-services, proposed first in |CCLP06] . Spurred on by the 
recasting of the standard must preorder from |NH84j as a server-preorder between contracts, 
these ideas have been developed further in [LPn71 ICGP091 IBdlDl IPadir)| . 

In these publications the standard refinements are referred to as subcontracts or sub-server 
relations and |LPn71 ICGPDQl IPadlOl IBdlO contain a range of alternative characterisations. 
For example in [LPr)71 IGGPOh) the characterisations are coinductive and essentially rely on 
traces and ready sets; in [BdlOj the characterisation is coinductive and syntax-oriented. 

To the best of our knowledge, the first paper to use a preorder for clients is |Bdin| . But 
their setting is much more restricted; they use so-called session behaviours which correspond 
to a much smaller class of processes than our language CCS. As there are fewer contexts, 
their sub-server preorder differs from our server preorder: oi.l Es ai-1 -|- 02 - 1 , whereas 
01-1 ai.1 + 02.1 . 
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The refinements in the papers mentioned above depend on a compliance relation, rather 
than must testing; this is also why in |BdlO] the peer preorder coincides with the 
intersection of the client and the server preorders; this is not the case for the must preorders 
(Example 3.17 can be tailored to the setting of session behaviours). Moreover, in a general 
infinite branching and non-deterministic LTS the refinements in the above papers differ from 
the preorder £ 5 ^^- subcontract relation of |LP07] turns out to be not comparable with 
~svr> whereas the strong subcontract C of [PadlOj is strictly contained in £ 5 ^^’ 
there is convergent and finite branching. The comparison of £ 5 ^,, with the refinement preorder 
of |CGP09| is complicated by their use of a non-standard LTS. A thorough comparison of 
the client and server refinements given by the compliance and the must testing can be found 


in |BH13j . 

In [BMPRO^ a symmetric refinement due to the compliance, is studied; it differs 
from our peer preorder (£p 2 p 2 and its characterisation does not mention usability. 

This is because of the restrictions of the LTS in [BMPR09| . In more general settings the 
usability of contracts/services is crucial; IPadllj talks of viability, while |MSV10j talks of 
controllability. 

Also subcontracts/subtyping for peers inspired by the should/fair-testing of |RV07| have 
been proposed in |BZ09[ IBMPR.O^ IPadllj . In |BZr)9| the fair-testing preorder is used as 
proof method for relating contracts, but no characterisation of their refinement preorder 
is given. A sound but incomplete characterisation is given in [BMPR.O^ . The focus of 
[Padll] is on multi-party session types which, roughly speaking, cannot express all the 
behaviours of our language CCS. In view of the restricted form of session types, they can 
give a syntax-oriented characterisation of their subtyping relation, this is in general 
incomparable with our Ep 2 p- 


Future work: The most obvious open question about our two new refinement preorders 
and Ep 2 p is the development of algorithms for finite-state systems. The ability to check 
efficiently whether a process is usable will play an important role. 

Another interesting question would be to characterise in some equational manner the 
refinement preorders Ep 2 p themselves rather than their associated pre-congruences 
and E^ 2 p' resulting equational theory we would have to restrict in some way the form 

of reasoning allowed under the external choice operator —|—, but the extra inequations 
needed in such a proof system might be simpler. 

A further interesting question is the possible use of the parallel operator between clients 
and peers, either by allowing multi-party interactions as in |BZ09l lBMPR,r)9] . or by deciding 
on how a parallel combination of clients should report success. 

We have also confined our attention to refinement preorders based on must testing. But 
one can also define client and peer preorders based on the standard may testing of [NH84j . 
We believe that these refinement preorders can be completely characterised using a modified 
notion of trace, which takes into account the usability of residuals. Other variations on client 
and peer preorders are worth investigating: a “synchronous” formulation of Ep 2 p where 
a computation is successful only if the peers report success at the same time] the client 
preorders for fair settings jPadlll IBZ09| , or the ones based on the compliance of (Pa din] . 


Acknowledgements. The first author would like to acknowledge Vasileios Koutavas, for his 
help in unravelling the client preorder. The paper has also benefited from comprehensive 
reviews by anonymous authors, which are greatly appreciated. 
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Appendix A. Justifying the derived equations 

(Dl): The proof is by induction on n. For i = 1, the result follows by (Sib), (S4) and 
Idempotency of +. Assume it is true for k] that is t.z = z, where z abbreviates 


Then 

T.z + T.Xk+l = T.{t.Z + T.Xk+l) 

(Sla) 


= T.{Z + T.Xk+l) 

Induction 


X/ + T.(x/ + y) 

= T.{x/ + X/ +y) + T.{x/ + y) 

(S2) 


= x.{x/ + y) 

Idempotency 

D3): One direction is immediate from (S5). Here is the converse: 


y.x + 

< y.x + r.r°° 

(S5) 


< T.{y.X + T°°) + T.T°° 

(S2) 


< T°° 

(S4) 

D4a): 

T.X/ + T.y = 

t.{t.x/ + T.y) 

(Sla) 

= 

t.{t.x/ + T.{x/ + T.y)) 

(S2) 

= 

t.{t.x/ + T.(r.(x/ +y) + T.y)) 

(S2) 

= 

t.{t.x/ + T.{x/ +y) + T.y) 

(Dl) 

= 

T.x/ + T.{x/ +y) + T.y 

(Dl) 


(D5a): 

T.X + T.(x + + z) = T.X + T.{x + Ujf + z) + T.{x + + Z + T.x) (S2) 

= T.x + T.{x + yr + z) + T.{x + + z + T.{x + y/)) (S2) 

= T.x + T.{x + yr) + T.{x + yr + z) (S2) 

(DPI): One direction is straightforward from (P2P2). Conversely: 


< 

X + 1 

(P2P1) 

= 

1 + y.{x + 1) 

Pre-congruence 

< 

1 + y.{T.x + 1) 

(P2P3), Idempotency 

< 

1 + y.{T.x + 1) 

(S4), Idempotency 
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(DP2): This is a generalisation of ( |6.4[ ) above. It is proved by induction on n. The case 
when n = 1 has already been discussed in (6.5) on page 28 For the inductive case let r 
denote (^^1) ^ = r.r.r can be derived. Then 

T.(1 + r.Xfc+i +r) = r.(1 + r.Xfc+i + T.(r.r)) 

= r(1 + X(fc+i)) + t( 1 + r.z) 


= t( 1 + a:(fe+i)) + ^^.(l + Xj) 


Kk 


(6.4) above 
Induction 


(DP3): 


(D4b): 

T.{x/ + 1) + T.{y/ + 1) 


(D5b): 

T.x + T.{x + + ^) + z) 


jjL.x < /i.(1 + x) P2P1, Pre-congruence 

< /i.(1 -|- T.x) P2P3, Idempotency 

t.{t.{x/ + 1) -I- T.{y/ + 1)) Lemma (6^ 

r.(T.(x/ + 1) + r.(x/ + 1 + T.{y^ + 1))) 

(S2), Idempotency 

r.(T.(x/ + 1) + r.(1 -h r.(x/ + yt + ^) + T.{yr + 1))) 

(S2), Idempotency 

r.(T.(x/ + 1) + t.{t.{x/ + 2^ + 1) + T.{yr + 1))) (DP2) 
r.(x/ + 1) + r.(x/ +y/ + ^) + T.{yr + 1) (Dl) twice 

T.x + r.(x -I- (2^ + 1) -I- z) + r.(x -I- (2^ -I- 1) -I- z -I- T.x) (S2) 

t.x + T.(x + (2// + 1 ) + ^) + T.(x + {yi' + '\) + z + r.(x + 2^)) 

(S2) 

T.x + r.(x + ( 2 // + 1) + - 2 ) + T.{x + {y^ + '\) + z + r.(x + 2^ + 1)) 

(DPI) 

T.x + T.(x + ( 2 // + 1)) + T.{x + {yt + ^) + z) (S2) 
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